Adventures in DRM land: Sony

[YKhan]

Very detailed and technical play-by-play of somebody discovering a
rootkit installed on their system by Sony Corp.! You gotta wonder what
somebody could do if they weren't familiar with the low-level details
of a Windows system, like this guy was?

Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management
Gone Too Far
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

Yousuf Khan

 

[Yousuf Khan]

Very detailed and technical play-by-play of somebody discovering a
rootkit installed on their system by Sony Corp.! You gotta wonder what
somebody could do if they weren't familiar with the low-level details
of a Windows system, like this guy was?

Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management
Gone Too Far
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

Yousuf Khan

Sony capitulates after public outcry.

http://seattlepi.nwsource.com/business/1700AP_Sony_Copy_Protection.html

Yousuf Khan

 

[Tony Hill]

Sony capitulates after public outcry.

http://seattlepi.nwsource.com/business/1700AP_Sony_Copy_Protection.html

I know I'm still in the minority, but I most definitely look closely
at EVERY CD I purchase to make sure that they do not have any
copy-protection schemes built in for just this sort of reason. If a
CD lists copy-protection on the package I will not buy it. If it has
copy protection but does not list it on the package I will return the
damn thing.

As I said, I'm sure I'm in the minority, but record labels are likely
to find more and more people doing the same thing if they keep up this
non-sense. They can only depend on the ignorance of their customers
for so long, eventually people are going to wise up and move on.


Note that Sony hasn't really "capitulated" in any meaningful way, they
are STILL planning on distributing CDs that install rootkits on your
PC, they just aren't going to hide them as much.

I would be rather interested to see if anyone tries to mount a legal
challenge against Sony for this. What they are doing is walking a
VERY fine line between merely deceiving customer and fully breaking
laws regarding distributing malicious software. Their copy protection
software is, in essence, a trojan horse program.

 

[GSV Three Minds in a Can]

Bitstring <[email protected]>, from the

I know I'm still in the minority, but I most definitely look closely
at EVERY CD I purchase to make sure that they do not have any
copy-protection schemes built in for just this sort of reason. If a
CD lists copy-protection on the package I will not buy it. If it has
copy protection but does not list it on the package I will return the
damn thing.

I'm in the minority with you. I also email the record company, and the
artist (if I can find an email address for the latter) explaining why I
didn't buy their product.

I can't think of anything MORE likely to make people go buy pirated
copies (with no protection). Or just play it on the HiFi and re-rip it
to .wav.
Or just go with a more intelligent artist/publisher combination.

 

[Alan Walpool]

Yousuf> Sony capitulates after public outcry.

Yousuf> http://seattlepi.nwsource.com/business/1700AP_Sony_Copy_Protection.html

Yousuf> Yousuf Khan

Buried in comments to the first article above is a note that the root
kit will send information back to sony containing an album ID, and an ip
address. That is really nice! Whatever. The way things are going I
guess I will have one computer connected to the internet and one that
is not. ;-)).

Whatever when will this nonsense stop?

Alan

 

[Gnu_Raiz]

Yousuf> Sony capitulates after public outcry.

Yousuf> http://seattlepi.nwsource.com/business/1700AP_Sony_Copy_Protection.html

Yousuf> Yousuf Khan

Buried in comments to the first article above is a note that the root
kit will send information back to sony containing an album ID, and an ip
address. That is really nice! Whatever. The way things are going I
guess I will have one computer connected to the internet and one that
is not. ;-)).

Whatever when will this nonsense stop?

Alan

That's the problem right now how do you know you have a unique IP address?
With nat, and 802.11x its getting to the point of people wanting ipv6 just
to have unique IP's. Just look at how many grandma's, and grandpa's are
getting pulled into court, because johnny was trying to share a few files
he was not supposed to.

I really don't know how much public outcry is happening, I only see the
geekie side of the net getting all in a fuss. For the average joe it
probably will not make a big difference, after all they are still trying
to pass a bill in the US congress about the analog loophole/aka media
flag.

Also I get amused at how Holly Wood is getting excited about the video
ipod. It seems that actors, distributors want more of the pie some even
want special royalties just for redistribution. Its getting to the point
now that if you do not watch the show the time it is aired, you might be
in copyright violation. Forget about taking out the commercials and
sharing it with a friend, because that would be a copy right violation.

Another thing that is unsure is dvd audio, if you make a backup copy of a
dvd-audio dvd is that copyright violation? Then you have fair use, just
what exactly rights do we have left?

Gnu_Raiz

 

[Tony Hill]

Buried in comments to the first article above is a note that the root
kit will send information back to sony containing an album ID, and an ip
address. That is really nice! Whatever. The way things are going I
guess I will have one computer connected to the internet and one that
is not. ;-)).

Fortunately one nice and simple solution to this particular bit of
nonsense, other then simply not buying the CD, is to run Linux or any
other non-Microsoft operating system. Their "copy protection"
software only works under Windows.

Just another of the many reasons why my media center PC runs Linux.

 

[nobody]

I know I'm still in the minority, but I most definitely look closely
at EVERY CD I purchase to make sure that they do not have any
copy-protection schemes built in for just this sort of reason. If a
CD lists copy-protection on the package I will not buy it. If it has
copy protection but does not list it on the package I will return the
damn thing.

As I said, I'm sure I'm in the minority, but record labels are likely
to find more and more people doing the same thing if they keep up this
non-sense. They can only depend on the ignorance of their customers
for so long, eventually people are going to wise up and move on.


Note that Sony hasn't really "capitulated" in any meaningful way, they
are STILL planning on distributing CDs that install rootkits on your
PC, they just aren't going to hide them as much.

I would be rather interested to see if anyone tries to mount a legal
challenge against Sony for this. What they are doing is walking a
VERY fine line between merely deceiving customer and fully breaking
laws regarding distributing malicious software. Their copy protection
software is, in essence, a trojan horse program.

It is nothing new that Sony and other RIAA members would screw the
customers any way they can think of in order to keep their profits
from evaporating, technologically, or legally, or whatever. Hopefully
some lawyers will find the way to sue Sony for trashing systems of
unwitting customers. Unfortunately there is no way to sue Bill G. for
leaving in the OS security holes so huge that one can fly a 747
through. How come it is possible to use things like rootkits at all?

NNN

 

[GSV Three Minds in a Can]

Bitstring <[email protected]>, from the

It is nothing new that Sony and other RIAA members would screw the
customers any way they can think of in order to keep their profits
from evaporating, technologically, or legally, or whatever. Hopefully
some lawyers will find the way to sue Sony for trashing systems of
unwitting customers. Unfortunately there is no way to sue Bill G. for
leaving in the OS security holes so huge that one can fly a 747
through. How come it is possible to use things like rootkits at all?

In case you haven't seen it, one of the most rational discussions of the
problem (and non solution) I have seen can be found at:-

http://www.bookofhook.com/Article/GameDevelopment/TheCopyProtectionDilemm
a.html

If only Sony Et Al could actually read ....

 

[Tony Hill]

It is nothing new that Sony and other RIAA members would screw the
customers any way they can think of in order to keep their profits
from evaporating, technologically, or legally, or whatever. Hopefully
some lawyers will find the way to sue Sony for trashing systems of
unwitting customers. Unfortunately there is no way to sue Bill G. for
leaving in the OS security holes so huge that one can fly a 747
through. How come it is possible to use things like rootkits at all?

All OSes in existence allow the use of Rootkits if you run things as
the superuser. The trick is that in most cases you do NOT run
everything as superuser if you can avoid it. In corporate use this
shouldn't be much of an issue because WinXP Pro is well setup to have
all users log in as non-privileged users and only to use an
administrator account when absolutely necessary. Even for home use
this is quite easy to setup if you run WinXP Pro (that is exactly how
I'm running XP Pro at this moment), though while the OS works great
for this, some applications are VERY poorly written in this regard.

Still, the problem is not so much a security hole in the traditional
sense of things as it is a matter of a design decision. Microsoft
choose to make their OS extremely vulnerable to trojan horses and the
like in an effort to make things "easier" for customers. Sadly
enough, this was probably the right choice. Just watch you're average
MacOS user who will blindly type in their Root password any time
they're asked for it and be annoyed that they always need to do so.

 

[George Macdonald]

All OSes in existence allow the use of Rootkits if you run things as
the superuser. The trick is that in most cases you do NOT run
everything as superuser if you can avoid it. In corporate use this
shouldn't be much of an issue because WinXP Pro is well setup to have
all users log in as non-privileged users and only to use an
administrator account when absolutely necessary. Even for home use
this is quite easy to setup if you run WinXP Pro (that is exactly how
I'm running XP Pro at this moment), though while the OS works great
for this, some applications are VERY poorly written in this regard.

It's my guess that most home users got pissed with trying to live with a
less privileged level than "administrators" long ago... after the first
week or so of wrestling with it. In WinXP corporate use, this is
aggravated by the lack of fast switching from a domain logon. Telling
users to live with Power User privilege and then expecting them to run
scandisks and defrags is just an exercise in futility; where those users
are system or code developers, it's just additional wasted effort - IOW
hardly surprising they won't put up with it.

From what I've seen it's not unusual at all for corporate WinXP users to be
allowed to run as a local adminstrator - the domain admins just get so
tired of trying to enforce any other discipline.

The problem with rootkits has nothing to do with running as "superuser" -
it's the fact that even as "superuser", you cannot see the "cloaked"
rootkit programs and services running, i.e. observe their resource usage.
Allowing such cloaking to be installed -- patched into the kernel --
through the usual application installation procedures *is* IMO a severe
security hole in any OS.

Personally I'm heartily sick of the whole Windows experience: the recent
bugs in the Automatic Update process -- apparently corrected early Friday
morning -- upon which M$ appears to be utterly silent, has been just
another source of desperate frustration. When you look at all the other
deficiencies, such as (not) viewing group privileges and the amazingly
half-assed implementation of file/folder "junctions" it all boils down to a
complete cock-up to me... patches upon patches of odiferous crap laid on a
stinking half-baked pie.

 

[Robert Redelmeier]

It's my guess that most home users got pissed with trying
to live with a less privileged level than "administrators"
long ago... after the first week or so of wrestling with it.

I've never had any trouble with my kids or friends I've set up
that way. One key is giving them the root pswd so they don't
feel disempowered. And explaining the security benefits.
One person wanted _two_ user accounts, one for everyday and
a second for only secure surfing. A good idea!

Users aren't idiots even if they are ignorant. They _are_
deeply concerned (paranoid) about security, and user isolation
is a significant improvement. They see the benefits.

For the last 10 years I' ve been running Linux. Do you think
I spend all my time logged on as 'root'? H3ll no! I find the
additional security well worth the occasional inconvenience.

-- Robert

 

[George Macdonald]

I've never had any trouble with my kids or friends I've set up
that way. One key is giving them the root pswd so they don't
feel disempowered. And explaining the security benefits.
One person wanted _two_ user accounts, one for everyday and
a second for only secure surfing. A good idea!

Users aren't idiots even if they are ignorant. They _are_
deeply concerned (paranoid) about security, and user isolation
is a significant improvement. They see the benefits.

Funny there are so many infected systems all over then. You must be
dealing with a umm, better class of user. I've been stunned at some of
the risks that people are willing to take... even with company systems.
Zero-day infection is a term which they refuse to incorporate in their
lexicon - if it interferes with their ability to install/run P2P,
(early)Skype, game DLs, favorite freeware, "improved shopping experience"
etc. etc. they won't have it.

There *are* of course often serious corporate political issues involved but
I'd be willing to bet that most infections of corporate LANs got entry
through a notebook which goes home with its user every day. How do you
tell a $$ successful "road warrior' that he's a corporate LAN rogue? The
contortions currently being implemented by some corps to protect againt
this err, situation are, when you boil it down, utterly *NUTS*.

For the last 10 years I' ve been running Linux. Do you think
I spend all my time logged on as 'root'? H3ll no! I find the
additional security well worth the occasional inconvenience.

Linux !== Windows XP though and for someone who has never used a real OS,
it seems nuts to have to logoff/logon/logoff/logon to install some SW...
which usually needs repeating 2/3 times to get right. However depressing,
it does seem to me that most users are indeed lusers - too stupid to be
using software at all and most AV software is beyond their competence...
you can show them but somehow, it just doesn't "take". Though we are a SW
development operation, we get calls from people who "found us in the yellow
pages" all the time... wondering if we can help them with an "infected
computer".

I talked recently to a local system builder and he gets this stuff multiple
times per day - he tells them they can't afford a "clean-up" -- literally
the cost of a new home computer -- but he will reformat and reinstall
Windows for them. This *is* ultimately the fault of M$!.. who on top of
all this want to police those same lusers like thieves. To me it does beg:
who is the thief here?

 

[nobody]

On Thu, 03 Nov 2005 01:15:35 -0500, Tony Hill

I would be rather interested to see if anyone tries to mount a legal
challenge against Sony for this. What they are doing is walking a
VERY fine line between merely deceiving customer and fully breaking
laws regarding distributing malicious software. Their copy protection
software is, in essence, a trojan horse program.

Tony,
I hope this will satisfy your interest:

Italian group ALCEI is suing Sony over the rootkitting DRM infection.
http://theinquirer.net/?article=27508

And you thought the US is the most litigeous country in the whole
world ;-)

NNN

 

[Robert Redelmeier]

Funny there are so many infected systems all over then.
You must be dealing with a umm, better class of user. I've
been stunned at some of the risks that people are willing to
take ... even with company systems.

I think a lot of this risk is taken because users simply do not
know better. They do not know the concept of least-privilidge
nor that it is relatively easy to implement even on MS-Win*
(except 9*).

For once, I can't even blame MicroSoft Dell and other
OEMs are the ones writing the checks, and doubtless _insist_
on single user configs to reduce their support costs.

it seems nuts to have to logoff/logon/logoff/logon to install
some SW... which usually needs repeating 2/3 times to get right.

I don't have any trouble explaining this: Installing software
obviously changes the system. You don't do this everyday.
So why have the power to do it by accident (or virus malice)?
It's like running with scissors.

However depressing, it does seem to me that most users are
indeed lusers - too stupid to be using software at all and
most AV software is beyond their competence... you can show
them but somehow, it just doesn't "take".

Showing does nothing -- it's a cookbook that gets forgotten.
People need to learn principles. And many will.

I talked recently to a local system builder and he gets this
stuff multiple times per day - he tells them they can't afford
a "clean-up" -- literally the cost of a new home computer --

That cheap? An actual cleaning is usually uneconomic --
it's cheaper to backup user data and reinstall.

but he will reformat and reinstall Windows for them. This *is*
ultimately the fault of M$!.. who on top of all this want to
police those same lusers like thieves. To me it does beg:
who is the thief here?

M$ _is_ culpable for their egregious design decisions and
defaults, let alone the bugs and holes in their systems.

-- Robert

 

[Keith]

I think a lot of this risk is taken because users simply do not
know better. They do not know the concept of least-privilidge
nor that it is relatively easy to implement even on MS-Win*
(except 9*).

I do it, and know better. ;-) I was issued a new laptop last week
(my ThinkPad A21p is no more - snif). The corporate WinXP image as
installed and configured by the workstation support group has one
user and is set up as administrator. That's the way it's supposed
to be used.

For once, I can't even blame MicroSoft Dell and other
OEMs are the ones writing the checks, and doubtless _insist_
on single user configs to reduce their support costs.

Could be the same reasoning here.

I don't have any trouble explaining this: Installing software
obviously changes the system. You don't do this everyday.
So why have the power to do it by accident (or virus malice)?
It's like running with scissors.

You don't? I seem to be installing *something* all the time. I
just spent a *week* doing little else other than installing
software. Well, two days, twice (the laptop crashed and burned,
hard enough to force a format/reinstall). :-(

Showing does nothing -- it's a cookbook that gets forgotten.
People need to learn principles. And many will.

Windows? Principles? It's a bloody appliance. Users don't want
to know any more than not to stick the fork in the toaster.

That cheap? An actual cleaning is usually uneconomic --
it's cheaper to backup user data and reinstall.

It took me two days to track down/install/configure everything I
need (something never needed with OS/2). Reinstall isn't cheap
either. At >$100/hr, might just as well throw the hardware away
too. ;-)/2

 

[Robert Redelmeier]

I do it, and know better. ;-) I was issued a new laptop last
week (my ThinkPad A21p is no more - snif). The corporate

My sincere condolencses at your loss.

WinXP image as installed and configured by the workstation
support group has one user and is set up as administrator.
That's the way it's supposed to be used.

I'm appalled. NIST has some very good security guidelines,
and privilidge isolation is the most elementary.

Could be the same reasoning here.

Could be, but at a longer term cost. Our corp image is
locked-down. No-one gets Admin, and only a few get "Power User".

You don't? I seem to be installing *something* all the time.

Not me. A lot of stuff will run as ordinary user.

I just spent a *week* doing little else other than installing
software. Well, two days, twice (the laptop crashed and
burned, hard enough to force a format/reinstall). :-(

Yes, intalls come in waves.

Windows? Principles? It's a bloody appliance. Users don't
want to know any more than not to stick the fork in the toaster.

I consider user isolation about the same level of boneheadedness.

It took me two days to track down/install/configure
everything I need (something never needed with OS/2).
Reinstall isn't cheap either. At >$100/hr, might just as
well throw the hardware away too. ;-)/2

Agreed. It isn't the reinstall that's so tough, but the
reconfiguring all the individual apps. Ah well, another
reason to dislike The Registry!

-- Robert

 

[GSV Three Minds in a Can]

Bitstring <[email protected]>, from the

Italian group ALCEI is suing Sony over the rootkitting DRM infection.
http://theinquirer.net/?article=27508

And you thought the US is the most litigeous country in the whole
world ;-)

Ah, but when the =Italian= suits come calling, you don't need lawyers,
you need your bullet proof underwear.

 

[Keith]

My sincere condolencses at your loss.

I held out as long as I thought I could (talked the boss up to a
T42p . ...not quite the same display resolution, but a 2GHz PM
(vs. 850MHz PIII) and 2GB (vs. 512MB). It's ok. ;-)

I'm appalled. NIST has some very good security guidelines,
and privilidge isolation is the most elementary.

When security gets in the way of productivity, it's not
productivity that gets left behind these days.

Could be, but at a longer term cost. Our corp image is
locked-down. No-one gets Admin, and only a few get "Power User".

Interestingly I don't get root priveleges on my AIX machine, but
*own* the laptop. Perhaps they've decided it's not controllable.
Dunno, but I'd likely use a "user" ID if it were mandated. I just
don't like the constant loging out/in in windows. At least SU
works in *ix.

Not me. A lot of stuff will run as ordinary user.

Installs? I suspect I could *run* as "user", but I've never tried.
;-)

Yes, intalls come in waves.

Morton salt.

I consider user isolation about the same level of boneheadedness.

Don't disagree, much.

Agreed. It isn't the reinstall that's so tough, but the
reconfiguring all the individual apps. Ah well, another
reason to dislike The Registry!

I guess maybe! What a huge step backwards that was. I'd rather
manually edit config.sys and autoexec.bat.

 

[George Macdonald]

I think a lot of this risk is taken because users simply do not
know better. They do not know the concept of least-privilidge
nor that it is relatively easy to implement even on MS-Win*
(except 9*).

Oh they know.

For once, I can't even blame MicroSoft Dell and other
OEMs are the ones writing the checks, and doubtless _insist_
on single user configs to reduce their support costs.

Dell et.al. has nothing to do with corporate systems and their setup. As
for M$, there have been several default installation results and the most
common one, if you give a specific user name during install is to create a
user with name "administrator" with no password... not blame M$ for that?

I don't have any trouble explaining this: Installing software
obviously changes the system. You don't do this everyday.
So why have the power to do it by accident (or virus malice)?
It's like running with scissors.

Sorry - "too much trouble"... and it can make a real mess if they do it
wrongly, e.g. install Firefox and forget to run it once as an
administrator; with other software it's the other way around.

Showing does nothing -- it's a cookbook that gets forgotten.
People need to learn principles. And many will.

Show or walk them through it themselves - nothing works<shrug> They don't
want to - they want to do it their way... with the minimum of disturbance
to their usage, which is usually risky.