Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
WASHINGTON POST.COM SECURITY FIX Brian Krebs on Computer Security More Sony Problems to Be Revealed Several groups of privacy and security experts are expected to release research later today that points to multiple, serious security flaws present in *XCP*, the anti-piracy software used on an undisclosed number of *Sony BMG* music CDs. (For the record, *Security Fix* observed that experts were busily searching for such flaws http://blogs.washingtonpost.com/securityfix/2005/11/hackers_raid_so_1.html shortly after this whole fiasco began). According to details provided by prominent security researcher *Dan Kaminsky http://www.doxpara.com*, the resulting public outcry could make Sony feel like the last two weeks of consumer backlash were a walk in the park. Kaminsky will be unveiling research that indicates just how many computer networks have Sony's anti-piracy software installed on them. Kaminsky declined to be more specific, but numbers referenced http://www.washingtonpost.com/wp-srv/technology/daily/graphics/complaint_111405.pdf in a class-action lawsuit filed Tuesday in New York http://blogs.washingtonpost.com/securityfix/2005/11/sony_faces_anot.html against Sony and XCP maker *First4Internet* indicate that Sony sold approximately 3 million music CDs carrying the software. The net effect is that it's not in doubt that Sony has created a major security event on the Net, Kaminsky said in an online chat last night. But wait, it gets ... er ... better. The researchers discovered a security flaw in XCP (which stands for extended copyright protection) that could afford attackers a window through which to break into computers running the software and install additional software or viruses. Kaminsky told me that one of the researchers involved in the investigation is *Edward Felten http://www.cs.princeton.edu/%7Efelten/*, a professor of computer science and public affairs at Princeton University. And indeed, Felten's blog -- *Freedom to Tinker* http://www.freedom-to-tinker.com/?p=926 -- hints as to the research he will release tomorrow along with *Alex Halderman http://www.princeton.edu/%7Ejhalderm/*, a Ph.D. student at Princeton whose research http://www.cs.princeton.edu/%7Ejhalderm/cd3/ includes digital rights management technologies, including *SunnComm Technologies http://www.sunncomm.com/index_flash.html*, a different anti-piracy program used by other Sony titles http://www.boingboing.net/2005/11/10/sony_music_cds_infec.html : Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit. ... In the meantime, we recommend strongly against downloading or running Sony’s Web-based XCP uninstaller. (The name of Felten's blog is a nod to his prior http://www.boingboing.net/2005/11/10/sony_music_cds_infec.htmlhigh-profile legal dust-up with the entertainment industry http://www.eff.org/IP/DMCA/Felten_v_RIAA/faq_felten.html over alleged violations of the Digital Millennium Copyright Act http://www.copyright.gov/legislation/dmca.pdf.) I tried to contact Felten earlier today, and no doubt he was too busy with this research to grab the phone. I contacted Halderman by e-mail, who confirmed that the uninstaller can create even worse problems than those created by the anti-piracy software itself. Halderman said further details would be available on Felten's site later today. One of XCP's most alarming traits for security researchers has been its ability to hide not just its own files on a user's PC but also those of any other files, viruses or worms that follow the program's file-naming rules -- hidden so well that even antivirus programs can't find it. Last week, about the same time that someone mass-spammed several versions of a virus http://blogs.washingtonpost.com/securityfix/2005/11/virus_writers_e.html designed to take advantage of XCP's file-hiding abilities, Sony issued a patch to help users remove the file-hiding function. (The patch did not uninstall the program itself, which resists removal so effectively that security researchers have equated it to a rootkit http://en.wikipedia.org/wiki/Rootkit.) But according to research to be presented tomorrow, that very same patch Sony issued to help close the security hole exposed by its software actually introduces additional security flaws. While exposing oblivious users to additional risks when someone or something has already compromised their computer is in itself inexcusable, opening that user's system to backdoor security flaws and then paving the way for attackers to install whatever they please without fear of detection or removal is unconscionable. Imagine the potential consequences of military personnel or government
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 15 Nov 2005 at 10:38, Raymond Horton wrote: WASHINGTON POST.COM SECURITY FIX Brian Krebs on Computer Security More Sony Problems to Be Revealed [] Imagine the potential consequences of military personnel or government employees at work on a sensitive government network popping one of these CDs into their computer to listen to their favorite Sony-label music artist. If only half of this research turns out to be supported by the broader security community, Sony is about to find itself in big-league legal trouble. If the military is running its Windows PCs with admin-level user logons, then this Sony rootkit is the least of our worries. You can't be infected with this by accident, and if you're running your Windows computer properly (with a user logon that lacks administrative capabilities), then you simply can't be infected by it. -- David W. Fentonhttp://www.bway.net/~dfenton David Fenton Associateshttp://www.bway.net/~dfassoc ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
Don't tell me/us - tell Brian Krebs at the Washington Post. David W. Fenton wrote: On 15 Nov 2005 at 10:38, Raymond Horton wrote: (forwarded) WASHINGTON POST.COM SECURITY FIX Brian Krebs on Computer Security More Sony Problems to Be Revealed [] Imagine the potential consequences of military personnel or government employees at work on a sensitive government network popping one of these CDs into their computer to listen to their favorite Sony-label music artist. If only half of this research turns out to be supported by the broader security community, Sony is about to find itself in big-league legal trouble. If the military is running its Windows PCs with admin-level user logons, then this Sony rootkit is the least of our worries. You can't be infected with this by accident, and if you're running your Windows computer properly (with a user logon that lacks administrative capabilities), then you simply can't be infected by it. ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
Lora Crighton wrote: [snip] I do alot of my CD listening at the computer, and I will certainly think twice before I buy another Sony CD. In order to have any effect in the marketplace, you need to tell Sony about your decision, don't just tell your friends. -- David H. Bailey [EMAIL PROTECTED] ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 11/11/05, David W. Fenton [EMAIL PROTECTED] wrote: On 11 Nov 2005 at 12:47, Robert Patterson wrote: Christopher Smith wrote: I would sue if something like this was installed on my computer by a so-called reputable company. As much as I agree with the sentiment, I suspect anyone who is infected with this thing clicked thru a license agreement that allowed Sony to install their software.But the EULA was deceptive and did not fully explain what thesoftware was doing and what its risks were. To me, almost every EULAI've ever seen is so misleading as to be practically a lie, but this one was an actual LIE in that it omitted crucially importantinformation about what you were agreeing to. I read the EULA, and it seemed to imply that the program was removable. I usually just click without reading all the clauses, but after reading that one, I realize that I have been silly - I think it is scary just how onesided the agreement is. You are basically letting them say they can disable your computer and destroy your data, but have no liability to you. But, even if none of the lawsuits against Sony succeed, Sony hasalready lost revenue, because a large number of people who were wholly unaffected by this rootkit will refuse to ever buy Sonyproducts of any kind, for fear of some other nefarious activity onSony's part. I do alot of my CD listening at the computer, and I will certainly think twice before I buy another Sony CD. Lora ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
Sony drops antipiracy technology from its CDs Ted Bridis, Associated Press November 12, 2005 WASHINGTON - Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers. Sony defended its right to prevent customers from illegally copying music but said that, as a precautionary measure, it will halt manufacturing CDs with the XCP technology. We also intend to reexamine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use, the company said in a prepared statement. The antipiracy technology, which works only on Windows computers, prevents customers from making more than a few copies of the compact disc and prevents them from loading the CD's songs onto Apple Computer's popular iPod music players. Some other music players, which recognize Microsoft's proprietary music format, would work. Sony's announcement came one day after leading security companies disclosed that hackers were distributing malicious programs over the Internet that exploited the antipiracy technology's ability to avoid detection. Hackers discovered that they can effectively render their programs invisible by using names for computer files similar to ones cloaked by the Sony technology. A Homeland Security official cautioned entertainment companies against discouraging piracy in ways that also make computers vulnerable. Stewart Baker, assistant secretary for policy at DHS, did not cite Sony by name in his remarks Thursday but described industry efforts to install hidden files on consumers' computers. It's very important to remember that it's your intellectual property, it's not your computer, Baker said at a trade conference on piracy. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days. Sony's program is included on about 20 popular music titles, including releases by Van Zant and the Bad Plus. This is a step they should have taken immediately, said Mark Russinovich, chief software architect at Winternals Software, who discovered the hidden copy-protection technology Oct. 31 and posted his findings on his Web log. He said Sony did not admit wrongdoing, nor did it promise not to use similar techniques in the future. Security researchers have described Sony's technology as spyware, saying it is difficult to remove and transmits without warning details about what music is playing. They said Sony's notice to consumers about the technology was inadequate. Sony executives have rejected the description of their technology as spyware. Some leading antivirus companies updated their protective software this week to detect Sony's antipiracy program, disable it and prevent it from reinstalling. After Russinovich criticized Sony, it made available a software patch that removed the technology's ability to avoid detection. It also made more broadly available its instructions on how to remove the software permanently. Customers who remove the software are unable to listen to music CDs on their computers. On Nov 12, 2005, at 3:43 PM, Lora Crighton wrote: On 11/11/05, David W. Fenton [EMAIL PROTECTED]> wrote: On 11 Nov 2005 at 12:47, Robert Patterson wrote: > Christopher Smith wrote: > > > I would sue if > > something like this was installed on my computer by a so-called > > reputable company. > > As much as I agree with the sentiment, I suspect anyone who is > infected with this thing clicked thru a license agreement that allowed > Sony to install their software. But the EULA was deceptive and did not fully explain what the software was doing and what its risks were. To me, almost every EULA I've ever seen is so misleading as to be practically a lie, but this one was an actual LIE in that it omitted crucially important information about what you were agreeing to. I read the EULA, and it seemed to imply that the program was removable. I usually just click without reading all the clauses, but after reading that one, I realize that I have been silly - I think it is scary just how onesided the agreement is. You are basically letting them say they can disable your computer and destroy your data, but have no liability to you. But, even if none of the lawsuits against Sony succeed, Sony has already lost revenue, because a large number of people who were wholly unaffected by this rootkit will refuse to ever buy Sony products of any kind, for fear of some other nefarious activity on Sony's part. I do alot of my CD listening at the computer, and I will certainly think twice before I buy another Sony CD. Lora ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale ___
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 10 Nov 2005, at 8:58 PM, Brad Beyenhof wrote: On 11/10/05, Robert Patterson [EMAIL PROTECTED] wrote: Mac users (as with a previous CD/CP scheme) are immune. Not completely true: http://digg.com/apple/Sony_Music_CDs_infect_Macs,_too_ It's not as invasive or as automatic, but there is DRM software on Sony CDs for Macs as well. Uh, saying that it's not as invasive or automatic is the understatement of the year. From the comments to the thread you linked to: It does NOT install anything on your Mac unless you dig deep into a seperate partition of the disc, run a hidden program, and enter an admin password. This is not to excuse Sony's implementation of this, of course, but Mac users aren't at risk from it unless they go to quite a lot of trouble to put themselves at risk. - Darcy - [EMAIL PROTECTED] http://secretsociety.typepad.com Brooklyn, NY ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
At 11/10/2005 08:03 PM, Gerhard Torges, geb. Hölscher wrote: When one of these CDs is put into the computer's CD or DVD drive, it installs software that - hides itself from the user - opens backdoors enabling the PC to be controlled from the internet - submits infos on played CDs (and maybe more) to Sony BMG - disturbs MP3 playback and iPod filling - consumes up to 2% CPU time EVEN IF NO CD OR SOUND FILE IS PLAYED - is not removeable True that it installs a rootkit, which is horrible to do to any user, but it IS removable by a knowledgeable user. Phil Daley AutoDesk http://www.conknet.com/~p_daley ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
At 11/10/2005 08:21 PM, John Howell wrote: OK, esteemed computer gurus: urban legend, spam or confirmed terrorism? Confirmed, it is even on radio and TV news. But, again, it is removable. Phil Daley AutoDesk http://www.conknet.com/~p_daley ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
At 11/10/2005 08:43 PM, David W. Fenton wrote: One of the things it does is hook into low-level file I/O subroutines to hide its own files and its own activities. This is accomplished by hiding every file/directory that begins with $sys$ (or a similar such pattern -- I could be misremembering the exact prefix). That's exactly the correct prefix. Phil Daley AutoDesk http://www.conknet.com/~p_daley ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
Christopher Smith wrote: [snip] I'm glad (for now!) that I'm unaffected by this. Of course, at any time that may change... [snip] One thing I have NOT seen in all these discussions is a list of the CDs that had that awful stuff on them, so we can avoid purchasing them and if we already own them, avoid using them on our computers. Has anybody seen such a list? -- David H. Bailey [EMAIL PROTECTED] ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On Nov 11, 2005, at 6:59 AM, dhbailey wrote: Christopher Smith wrote: [snip] I'm glad (for now!) that I'm unaffected by this. Of course, at any time that may change... [snip] One thing I have NOT seen in all these discussions is a list of the CDs that had that awful stuff on them, so we can avoid purchasing them and if we already own them, avoid using them on our computers. Has anybody seen such a list? Here's a partial list, from the original post: The EFF has made a list of CD's being affected with this software: http://www.eff.org/deeplinks/archives/004144.php But when it says Content Protected on the label and you see mention of the word XCP in the fine print that you should probably worry. In response to someone who said it WAS removable, my understanding is that removing it disables your CD drive. I don't know enough about PCs to comment, but a pretty smart guy (Mark Russinovich) with some sophisticated tools, some of which he wrote himself, spent a lot of time to get his system back into shape. How many casual users have that kind of knowledge? But on the plus side, disabling Auto run prevents it. (Macs have this option, too. I remember one virus years ago that I never got, but the inoculation was turn off auto play for cds.) Christopher ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
At 11/11/2005 08:20 AM, Christopher Smith wrote: In response to someone who said it WAS removable, my understanding is that removing it disables your CD drive. I don't know enough about PCs to comment, but a pretty smart guy (Mark Russinovich) with some sophisticated tools, some of which he wrote himself, spent a lot of time to get his system back into shape. How many casual users have that kind of knowledge? Sony has an uninstaller available on a web site somewhere. Phil Daley AutoDesk http://www.conknet.com/~p_daley ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 11/11/05, Phil Daley [EMAIL PROTECTED] wrote: At 11/10/2005 08:43 PM, David W. Fenton wrote: One of the things it does is hook into low-level file I/O subroutines to hide its own files and its own activities. This is accomplished by hiding every file/directory that begins with $sys$ (or a similar such pattern -- I could be misremembering the exact prefix). That's exactly the correct prefix. In fact, I know of a guy who put a file called $sys$_canary on his desktop, so that he'll know if he ever gets this rootkit because the file will disappear (like the canaries used by miners). While humorous, I think it's kind of silly... just don't ever click OK to Sony's EULA, or hold Shift when inserting one of their CDs so that AutoRun won't kick in. As previously mentioned, you can disable AutoRun altogether, but that seems a bit extreme to me. -- Brad Beyenhof Real-time Finale discussion: http://www.finaleirc.com my blog: http://augmentedfourth.blogspot.com Silence will save me from being wrong (and foolish), but it will also deprive me of the possibility of being right. ~ Igor Stravinsky ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 11/11/05, Phil Daley [EMAIL PROTECTED] wrote: Sony has an uninstaller available on a web site somewhere. That uninstaller does not remove the rootkit in its entirety, it just disables the $sys$ file hiding (which has already been exploited in a new Trojan that just came out). -- Brad Beyenhof Real-time Finale discussion: http://www.finaleirc.com my blog: http://augmentedfourth.blogspot.com Silence will save me from being wrong (and foolish), but it will also deprive me of the possibility of being right. ~ Igor Stravinsky ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On Nov 11, 2005, at 8:42 AM, Phil Daley wrote: At 11/11/2005 08:20 AM, Christopher Smith wrote: In response to someone who said it WAS removable, my understanding is that removing it disables your CD drive. I don't know enough about PCs to comment, but a pretty smart guy (Mark Russinovich) with some sophisticated tools, some of which he wrote himself, spent a lot of time to get his system back into shape. How many casual users have that kind of knowledge? Sony has an uninstaller available on a web site somewhere. Unless something has come out very recently, the Sony uninstaller doesn't uninstall anything; it just makes the hidden files visible. You still can't remove them without disabling your CD drive, unless you are savvy enough to know how to work around it. This seems to me to be destructive in the extreme. I would sue if something like this was installed on my computer by a so-called reputable company. Christopher ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
Christopher Smith wrote: I would sue if something like this was installed on my computer by a so-called reputable company. As much as I agree with the sentiment, I suspect anyone who is infected with this thing clicked thru a license agreement that allowed Sony to install their software. Yesterday's msnbc.com mentioned a lawsuit filed against Sony due to malware that is now in the wild that exploits the software Sony installed. This seems like a more promising case. No matter what, though, I suspect Sony has not the heard the end of it in court. And of course, if found liable, Sony will turn around and sue their CP vendor. It's lovely, I think. The whole lot of 'em deserves their stinking mess. -- Robert Patterson http://RobertGPatterson.com ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 11 Nov 2005 at 6:56, Phil Daley wrote: At 11/10/2005 08:21 PM, John Howell wrote: OK, esteemed computer gurus: urban legend, spam or confirmed terrorism? Confirmed, it is even on radio and TV news. But, again, it is removable. This is ridiculous. It is *extremely difficult* to remove without rebuilding your Windows installation almost from scratch. If a sexual partner gave you syphilis, the fact that it is a disease easily treatable with pencillin would not make it any less terrible. -- David W. Fentonhttp://www.bway.net/~dfenton David Fenton Associateshttp://www.bway.net/~dfassoc ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 11 Nov 2005 at 8:42, Phil Daley wrote: At 11/11/2005 08:20 AM, Christopher Smith wrote: In response to someone who said it WAS removable, my understanding is that removing it disables your CD drive. I don't know enough about PCs to comment, but a pretty smart guy (Mark Russinovich) with some sophisticated tools, some of which he wrote himself, spent a lot of time to get his system back into shape. How many casual users have that kind of knowledge? Sony has an uninstaller available on a web site somewhere. All the uninstaller does is reveal the files. In fact the uninstaller adds *more* files to the program (at least, that was the case with the version that was out last week; perhaps with all the bad press they got from that, they've replaced it with a *real* uninstaller?). This is ridiculous, Phil. Why are you defending Sony on this odious practice? -- David W. Fentonhttp://www.bway.net/~dfenton David Fenton Associateshttp://www.bway.net/~dfassoc ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 11 Nov 2005 at 6:13, Brad Beyenhof wrote: On 11/11/05, Phil Daley [EMAIL PROTECTED] wrote: At 11/10/2005 08:43 PM, David W. Fenton wrote: One of the things it does is hook into low-level file I/O subroutines to hide its own files and its own activities. This is accomplished by hiding every file/directory that begins with $sys$ (or a similar such pattern -- I could be misremembering the exact prefix). That's exactly the correct prefix. In fact, I know of a guy who put a file called $sys$_canary on his desktop, so that he'll know if he ever gets this rootkit because the file will disappear (like the canaries used by miners). While humorous, I think it's kind of silly... just don't ever click OK to Sony's EULA, or hold Shift when inserting one of their CDs so that AutoRun won't kick in. As previously mentioned, you can disable AutoRun altogether, but that seems a bit extreme to me. And if you're not running an administrative logon, it won't make any difference if you *do* have Autoplay on and click YES to the EULA -- it won't be able to install. Perhaps it's smart enough to use the RunAs service to ask you for an administrative logon/password (somewhat like SU on UNIXen), but if you don't supply it, it won't be able to install, since it can only work by modifying Windows system files and registry settings that on Win2K and WinXP are read-only for user-level logons. -- David W. Fentonhttp://www.bway.net/~dfenton David Fenton Associateshttp://www.bway.net/~dfassoc ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 11 Nov 2005 at 6:15, Brad Beyenhof wrote: On 11/11/05, Phil Daley [EMAIL PROTECTED] wrote: Sony has an uninstaller available on a web site somewhere. That uninstaller does not remove the rootkit in its entirety, it just disables the $sys$ file hiding (which has already been exploited in a new Trojan that just came out). Something I read said there were already THREE exploits that used the file hiding technique provided by Sony's rootkit. And that will surely be just the beginning. My bet is that there's only a very small number of PCs that have this thing installed on them, but given the huge numbers of Windows PCs sitting connected to the Internet unprotected by any firewall, that very well might still be enough to justify going after those PCs for a botnet. A couple thousand computers is still a valuable commodity in the black hat world. -- David W. Fentonhttp://www.bway.net/~dfenton David Fenton Associateshttp://www.bway.net/~dfassoc ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 11 Nov 2005 at 12:47, Robert Patterson wrote: Christopher Smith wrote: I would sue if something like this was installed on my computer by a so-called reputable company. As much as I agree with the sentiment, I suspect anyone who is infected with this thing clicked thru a license agreement that allowed Sony to install their software. But the EULA was deceptive and did not fully explain what the software was doing and what its risks were. To me, almost every EULA I've ever seen is so misleading as to be practically a lie, but this one was an actual LIE in that it omitted crucially important information about what you were agreeing to. I think there's a good chance that many EULAs could be challenged in court, and this one is one of most egregious. Contracts can be structurally OK and still be invalidated if the two parties don't have appropriate standing to negotiate the terms. Many contracts include terms that wouldn't actually hold up in court if one of the parties challenged them, and most EULAs, in my opinion (and in the opinion of many legal experts) are borderline in terms of their contents. The Sony EULA for this software is not even borderline. It's factually deceptive. Yesterday's msnbc.com mentioned a lawsuit filed against Sony due to malware that is now in the wild that exploits the software Sony installed. This seems like a more promising case. No matter what, though, I suspect Sony has not the heard the end of it in court. All avenues should be pursued against Sony on this one. Corporations need to be taught that they can't take actions like this without great cost. And of course, if found liable, Sony will turn around and sue their CP vendor. It's lovely, I think. The whole lot of 'em deserves their stinking mess. That would be an interesting lawsuit. My bet is that the Sony officials responsible for the implementation of this lame copy protection software were fully aware of what the software did and duly authorized the outside contractor to implement it the way they did. The only way Sony could win such a suit was if some rogue executive within Sony had pursued this against the orders of her superiors and against corporate policy. Sony would have to reveal an awful lot of internal corporate policy and correspondence to win this lawsuit. You can bet that the contract between Sony and the software writers is very explicit on exactly what the software would do, so I don't really think there's much possibility that Sony could win such a case, and that the information that would have to come out to even try would be far too damaging for them to risk such a suit. But, even if none of the lawsuits against Sony succeed, Sony has already lost revenue, because a large number of people who were wholly unaffected by this rootkit will refuse to ever buy Sony products of any kind, for fear of some other nefarious activity on Sony's part. I just don't understand how these media companies can be run by such incredibly stupid people. How can they make any money at all with such idiots at the helm? -- David W. Fentonhttp://www.bway.net/~dfenton David Fenton Associateshttp://www.bway.net/~dfassoc ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
At 2:03 AM +0100 11/11/05, Gerhard Torges, geb. Hölscher wrote: Hello! This is heavily offtopic on this list but I couldn't stand to let anyone here get into the pitfall which would be even more serious to anyone using his/her PC for business. Sony BMG and their subsidary record labels [1] have released a couple of music CDs that contain malicious software claiming to simply be a copy protection system called XPC. But it's worse. Far worse. OK, esteemed computer gurus: urban legend, spam or confirmed terrorism? John -- John Susie Howell Virginia Tech Department of Music Blacksburg, Virginia, U.S.A 24061-0240 Vox (540) 231-8411 Fax (540) 231-5034 (mailto:[EMAIL PROTECTED]) http://www.music.vt.edu/faculty/howell/howell.html ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
This is heavily offtopic on this list but I couldn't stand to let anyone here get into the pitfall which would be even more serious to anyone using his/her PC for business. Sony BMG and their subsidary record labels [1] have released a couple of music CDs that contain malicious software claiming to simply be a copy protection system called XPC. As long as the issue has been opened on-list I'll cross-post David Pogue's NY Times e-column on the subject which is just a bit less flamitory: Thursday, October 10, 2005 From the Desk of David Pogue Sony BMG's Copy-Protecting Watchdog My In box usually bursts to the seams with reader reaction to stuff I've written. What was unusual this week, though, was the amount of mail that came in on a topic that I've never even mentioned: the Sony BMG rootkit tactic. The story goes like this. Starting in June 2004, Sony BMG records began copy-protecting its pop-music CD's. Over the months, the company has used several software schemes for preventing you, the customer, from making illegal copies of its discs. But 20 albums are protected by a scheme devised by a company called First 4 Internet-and it's caused an incredible online furor. These CD's, all bearing Content Protected labels on the packaging (meaning copy protected), do something very sneaky if you try to play them on a Windows PC: they install a proprietary watchdog program that prevents you from copying the CD more than twice. (On a Macintosh or Linux machine, these CD's play just fine, without any copy protection.) Last week, a programmer and blogger named Mark Russinovich dug a little deeper, and found out something disturbing: the Sony watchdog program not only installs itself deep in the core of Windows-it's what's called a rootkit-but it also makes itself invisible. The record company doesn't dispute Russinovich's findings. The cloaking is an additional level of protection to hide the protection files themselves, Mathew Gilliat-Smith, CEO of First 4 Internet, told me. It's an extra speedbump to make it that much more difficult [for prospective music pirates] to circumvent the protection. But Sony BMG didn't seem to be prepared for the outcry from privacy advocates and ordinary citizens who felt violated. To them, Sony BMG's tactic was dangerous, sneaky, intrusive and maybe even illegal. Some of the problems: * The hidden-rootkit trick has been used by virus writers to conceal their tracks. It doesn't give you such a rosy feeling to know that Sony BMG is treating you the same way. * Once hidden, the copy-protection software is invisible to antivirus programs, too. So the baddies of the Internet could, in theory, use Sony's software as a backdoor to infect your machine, and your virus checker would miss it. * If you try to remove the software manually, you risk disabling your CD player completely. (Instead you should use the Uninstall link on Sony BMG's customer-service Web site, whose link appears on the Help screens of Windows Media Player. Of course, then you can't play the CD on your computer.) * When you insert one of these music discs into your PC, one of those software license agreements appears. It says explicitly what's about to occur: This CD will automatically install a small proprietary software onto your computer. The software is intended to protect the audio files on this CD. It will reside on your computer until it is removed or deleted. But this note does not say that the software hides itself. And, even more damning, you don't see this note until you've scrolled down to the third page of legalese in the license agreement. Let's not kid ourselves: NOBODY ever reads those license agreements. They're too long, too opaquely written and generally of little use to anyone except the lawyers. * Sony's copy-protection software prevents you from playing the music you've bought on your iPod, which happens to be the world's most popular music player. Once the true nature of the Sony BMG software tactic became public, the company wasted no time in attempting to defuse the issue. Within 48 hours, it released a patch that makes its software visible again; you can download it from http://cp.sonybmg.com/xcp. (Click the Software Updates button.) Sony also provided the rootkit-cloaking information to antivirus-software companies, so that the software will no longer be a potential virus magnet. At that same Web site, you'll find, incredibly, a link to a Sony-sanctioned workaround that lets you copy the protected songs to the iPod. (Sony says it will send you the workaround by e-mail once you supply the name of the CD and other information.) Finally, Sony has abandoned the rootkit protection method. (It says, in fact, that it had planned to do so even before the trick became public.) It still intends to install copy-protection software on every audio CD-but it will use other methods. For now, then, it seems that
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
At 08:21 PM 11/10/05 -0500, John Howell wrote: OK, esteemed computer gurus: urban legend, spam or confirmed terrorism? Absolutely true. I hope it's a nightmare for Sony, who deserves every lawsuit that comes their way. Reading for the evening: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html http://www.sysinternals.com/blog/2005/11/sony-you-dont-rlly-want-to_09.html http://www.f-secure.com/v-descs/xcp_drm.shtml http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=76345 http://blogs.washingtonpost.com/securityfix/2005/11/calif_ny_lawsui.html http://www.pcworld.com/news/article/0,aid,123454,00.asp There's a reason I've complained about copy protection and all its kin Dennis ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
Unfortunately, all too real. This IS NOT A HOAX. Today msnbc.com has a front-page article about it. There are also relevant articles at eff.org and others. FWIW: You can safeguard your Windows machine by disabling Autorun. A number of website will show you the registry key to modify. Mac users (as with a previous CD/CP scheme) are immune. Gerhard Torges, geb. Hölscher wrote: Hello! This is heavily offtopic on this list but I couldn't stand to let anyone here get into the pitfall which would be even more serious to anyone using his/her PC for business. Sony BMG and their subsidary record labels [1] have released a couple of music CDs that contain malicious software claiming to simply be a copy protection system called XPC. But it's worse. Far worse. When one of these CDs is put into the computer's CD or DVD drive, it installs software that - hides itself from the user - opens backdoors enabling the PC to be controlled from the internet - submits infos on played CDs (and maybe more) to Sony BMG - disturbs MP3 playback and iPod filling - consumes up to 2% CPU time EVEN IF NO CD OR SOUND FILE IS PLAYED - is not removeable In my eyes, this is a violent attack against consumer rights worldwide and a clear case of computer sabotage. The EFF has made a list of CD's being affected with this software: http://www.eff.org/deeplinks/archives/004144.php Do NOT put any of these in a Windows PC's drive! The main EFF article on this issue can be found at: http://www.eff.org/deeplinks/archives/004117.php In-depth technical information on the software by Mark Russinovich who discovered it: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital- rights.html Be very careful bying CD's from one of the Sony BMG labels (according to http://www.sonybmg.com/labels.html): Arista Records BMG Classics BMG Heritage BMG International Companies Columbia Records Epic Records J Records Jive Records LaFace Records Legacy Recordings Provident Music Group RCA Records RCA Victor Group RLG - Nashville Sony Classical Sony Music International Sony Music Nashville Sony Wonder Sony Urban Music So So Def Records Verity Records One last beg: SPREAD THIS WARNING! Pass it over to friends and collegues. If they dont' have email, printit out and copy it! Protecting creative work is one thing, but attacking user's privacy like this is not tolerable. Thanks you all for reading. Gerhard Torges ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale -- Robert Patterson http://RobertGPatterson.com ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
^On 10 Nov 2005 at 20:21, John Howell wrote: OK, esteemed computer gurus: urban legend, spam or confirmed terrorism? It's unquestionably real. And it's very dangerous. One of the things it does is hook into low-level file I/O subroutines to hide its own files and its own activities. This is accomplished by hiding every file/directory that begins with $sys$ (or a similar such pattern -- I could be misremembering the exact prefix). Now that it's public knowledge, any hacker could exploit this on computers on which it has been installed to install their own nefarious files, as long as they name them with the same prefix. It's a hugely dangerous security hole. But the main issue is that it's a form of trespass -- they are installing software on your PC without full disclosure of the repercussions of that installation. And the really sad thing is that it's so poorly implemented that it could easily be avoided by: 1. turning off AutoPlay. 2. holding the SHIFT key when you insert a CD (which turns off AutoPlay for that CD). And, most critically: 3. running under a user-level logon that does not have adminstrative permissions on your system. This prevents the software from installing itself, as on Windows 2000 and XP, the system data areas are not available for writing by user-level logons. I have been saying for years to anyone who listens that it is complete idiocy to run a Windows PC with an administrative logon. This is a perfect example of just where avoiding that widespread practice would immunize you from a very serious problem. Sony has also been extremely evasive and untruthful in its response to this problem, having released a fix that doesn't fix it at all, but, in fact, extends the capabilities of the hidden programs. -- David W. Fentonhttp://www.bway.net/~dfenton David Fenton Associateshttp://www.bway.net/~dfassoc ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
Hi! Am 11.11.2005 um 02:21 schrieb John Howell: Sony BMG and their subsidary record labels [1] have released a couple of music CDs that contain malicious software claiming to simply be a copy protection system called XPC. But it's worse. Far worse. OK, esteemed computer gurus: urban legend, spam or confirmed terrorism? The latter. Gerhard ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
Am 11.11.2005 um 02:36 schrieb Robert Patterson: Today msnbc.com has a front-page article about it. See here: http://www.msnbc.msn.com/id/9991596/ Viruses exploit Sony CD anti-piracy scheme Hackers use copy-protection software to hide in PCs SAN JOSE, Calif. - A controversial copy-protection program that automatically installs when some Sony BMG audio CDs are played on personal computers is now being targeted by malicious software that exploits the antipiracy technology’s ability to hide files. The Trojan horse programs — three have so far been identified by anti-virus companies — are named so as to trigger the cloaking feature of Sony’s XCP2 antipiracy technology, security experts said Thursday. “This could be the advanced guard,” said Graham Cluley, senior technology consultant at the security firm Sophos. “We wouldn’t be surprised at all if we saw more malware that exploits what Sony has introduced.” [...] Gerhard ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On 11/10/05, Robert Patterson [EMAIL PROTECTED] wrote: Mac users (as with a previous CD/CP scheme) are immune. Not completely true: http://digg.com/apple/Sony_Music_CDs_infect_Macs,_too_ It's not as invasive or as automatic, but there is DRM software on Sony CDs for Macs as well. -- Brad Beyenhof Real-time Finale discussion: http://www.finaleirc.com my blog: http://augmentedfourth.blogspot.com Silence will save me from being wrong (and foolish), but it will also deprive me of the possibility of being right. ~ Igor Stravinsky ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
Re: [Finale] OT: Windows users BEWARE of Sony BMG music CD's!
On Nov 10, 2005, at 8:26 PM, Raymond Horton wrote: Once the true nature of the Sony BMG software tactic became public, the company wasted no time in attempting to defuse the issue. Within 48 hours, it released a patch that makes its software visible again; you can download it from http://cp.sonybmg.com/xcp. (Click the Software Updates button.) Sony also provided the rootkit-cloaking information to antivirus-software companies, so that the software will no longer be a potential virus magnet. At that same Web site, you'll find, incredibly, a link to a Sony-sanctioned workaround that lets you copy the protected songs to the iPod. (Sony says it will send you the workaround by e-mail once you supply the name of the CD and other information.) Finally, Sony has abandoned the rootkit protection method. (It says, in fact, that it had planned to do so even before the trick became public.) It still intends to install copy-protection software on every audio CD-but it will use other methods. For now, then, it seems that the cloaked-rootkit issue is dead. If you bought one of the 20 affected CD's, you can uncloak the software, and Sony won't be using this scheme anymore. According to another article I read, uncloaking the software still won't allow you to remove it without disabling your CD/DVD drive. You are hosed in certain cases (as it crashes some versions of Windows), unless you reformat. Plus, I think just about anyone would balk at having to provide their email address to a company in order to have physical access to content they already have legal access to. I'm glad (for now!) that I'm unaffected by this. Of course, at any time that may change... Christopher ___ Finale mailing list Finale@shsu.edu http://lists.shsu.edu/mailman/listinfo/finale
