Sony deserves every bit of the shit they are getting from this.

Just wait for the lawsuits. I hope the lawyers eat well off them.

[Edited on November 10, 2005 at 10:19 PM. Reason : PAGE TWO]

11/10/2005 10:19:19 PM

this whole mess just goes to show the power of the internet blogger.

11/11/2005 8:01:49 AM

no, not quite.

the "blogosphere" as dorks like to call it is more harmful than helpful for most people. established/reputable people with blogs is a different thing but average joe schmoe blogs are a waste of time and employers look at them sometimes and wonder what the fuck is wrong with a potential employee based on some of the things he/she puts in there.

[Edited on November 11, 2005 at 8:09 AM. Reason : but that's for another thread.]

11/11/2005 8:09:40 AM

Quote :

"Hackers use Sony BMG to hide on PCs Thu Nov 10, 3:35 PM ET AMSTERDAM (Reuters) - A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's (6758.T) controversial CD copy-protection software to hide on PCs and wreak havoc. ADVERTISEMENT Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos. When recipients click on an attachment, they install malware, which may tear down a computer's firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden -- the software would have been installed on a computer when consumers played Sony's copy-protected music CDs. "This leaves Sony in a real tangle. It was already getting bad press about its copy-protection software, and this new hack exploit will make it even worse," said Sophos's Graham Cluley. Later on Thursday, security software firm Symantec Corp. (Nasdaq:SYMC - news) also discovered the first trojans to abuse the security flaw in Sony BMG's copy-protection software. A trojan is a program that appears desirable but actually contains something harmful. Sony BMG's spokesman John McKay in New York was not immediately available to comment. The music publishing venture of Japanese electronics conglomerate Sony Corp. (6758.T) and Germany's Bertelsmann AG (BERT.UL) is distributing the copy-protection software on a range of recent music compact disks (CDs) from artists such as Celine Dion and Sarah McLachlan. When the CD is played on a Windows personal computer, the software first installs itself and then limits the usage rights of a consumer. It only allows playback with Sony software. The software sparked a class action lawsuit against Sony in California last week, claiming that Sony has not informed consumers that it installs software directly into the "roots" of their computer systems with rootkit software, which cloaks all associated files and is dangerous to remove. Sophos said it would have a tool to disable the copy protection software available later on Thursday. Sony BMG made a patch available on its Web site on Tuesday that rids a PC from the "cloaking" element that is part of the copy-protection software, while claiming that "the component is not malicious and does not compromise security." The patch does not disable the copy protection itself. The Sony copy-protection software does not install itself on Macintosh computers or ordinary CD and DVD players."

http://news.yahoo.com/s/nm/20051110/tc_nm/sony_hack_dc

11/11/2005 9:06:13 AM

^ see link to cnn story on page 1...

11/11/2005 10:13:57 AM

damn,

is there a list somewhere with CD titles that have this crap on it?

before I left for boston I bought a bunch of CD's (to play in the car) and ripped them all to NOT ONLY my personal PC but my work laptop.

Fuck.

11/11/2005 10:18:14 AM

anything printed recently by sony BMG I'd say

11/11/2005 12:32:57 PM

is it only CD's published by Sony BMG, or does it also include some of their subsidiary labels? If so, does anyone have a list of labels that are owned by Sony BMG?

11/11/2005 1:58:33 PM

they stopped making the CDs at least:

Quote :

"WASHINGTON (AP) - Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers."

---------------------------------------------------------
oh, shit - one IT team took it to the extreme:

Quote :

"As a result of this incident my workplace now has banned the use of any Sony/BMG audio CDs onsite - since they now consider them an IT risk. It may well spread to an outright ban on audio CDs from any label. Currently, anyone found onsite with an infected audio CD will be summarily dismissed under the security provisions in their contract, whether it has been used on a computer or not."

---------------------------------------------------------
list of effected CDs: http://slashdot.org/~xtracto/journal/121088

[Edited on November 11, 2005 at 3:12 PM. Reason : list]

11/11/2005 2:50:37 PM

haha, this is priceless:

Quote :

"try to rename your favourite ripping software as $sys$whatever.exe and then run it again. You'll notice that the DRM system can no longer detect it, and thus you'll get good copy of the track you try to rip instead of one filled with noise. So, that means that if someone wanted to make illegal copies of the CD's listed before, they just needed to rename one file!. Thus, at the very end it is Sony's technology who is providing the means to bypass its own copy protection technology. "

yet another "magic marker" technique.

11/11/2005 4:29:48 PM

just read the article about this on msnbc.com, saying how hackers could use the code that Sony used to run their own malware programs.

So by wanting to get rid of people that upload and download music off the internet, they put out a virus? If they wanted to do that, just infect StreamCast with viruses up the yinyang.

11/11/2005 4:36:21 PM

Quote :

"effected"

affected

Is Sony the first "big label" company who has released DRM-type CDs? What other DRM technologies are out there? Have they been effective or crappy?

11/11/2005 6:13:36 PM

^^^ haha nice

^^ lmao read the articles again dude - and not msnbc for god's sake. read something tech literate that explains it better.

^ damn it i knew i shouldn't have done that last edit.

[Edited on November 11, 2005 at 6:14 PM. Reason : .]

11/11/2005 6:14:23 PM

Microsoft removes Sony malware with implications
http://www.theinquirer.net/?article=27649

11/13/2005 11:52:45 AM

It turns out that there is also a Mac-DRM module included with the CDs. Luckily, you have to actively install it (shoot yourself in the foot much?).

http://www.macintouch.com/#tip.2005.11.10.sony

Quote :

"I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "Start.app" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext. Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site."

11/13/2005 12:06:10 PM

Hahahah it fucking installs a KERNEL EXTENSION.

Mac tip: you don't need to fucking modify the basis of your OS to listen to music.

11/13/2005 12:27:51 PM

Quote :

"Hahahah it fucking installs a KERNEL EXTENSION"

Yeah, they aren't playing. A root-kit on Windows and a kext on the Mac.

Quote :

"Mac tip: you don't need to fucking modify the basis of your OS to listen to music."

On the bright side, the only people who ended up with this installed would be morons with root-privs.

11/13/2005 12:40:04 PM

Quote :

" established/reputable people with blogs is a different thing but average joe schmoe blogs are a waste of time and employers look at them sometimes and wonder what the fuck is wrong with a potential employee based on some of the things he/she puts in there."

1. define "established/reputable"

2. who tells a potential employer about their blog?

11/13/2005 12:52:03 PM

1. people who put shit out like sysinternals and that guy at grc, and some other researchers that were famous even before blogging started. it was legit articles then, and now they just do the same work on their blog instead since it attracts traffic.
2. google

11/13/2005 7:05:18 PM

hmm, this is nice.

According to DeWinter (mentioned on Slashdot), Sony's little rootkit is actually committing a license violation.

Apparently it contains portions of LAME source code, which is licensed under GPL. Which means any works that use it's source are required to be open source as well, if I've read the license correctly.

This is vaguely amusing if it's accurate.

11/13/2005 11:36:23 PM

it's like every time we think more shit couldn't possibly hit the fan, another monkey flings some poo Sony's way.

11/14/2005 3:48:33 AM

Fuck sony and their proprietary bullshit

11/14/2005 5:39:07 AM

that winternals/systernals guy works for a reputable company. I know who i work for has dumped some fairly major dough on their company. They make some killer software and they know what they are talking about.

11/14/2005 7:39:28 AM

Somebody better get a mop.


Because I think Sony's asshole is going to be bleeding after the lawyers are done with them.

_________

11/14/2005 10:07:21 PM

russinovich continues the discussion:

http://www.sysinternals.com/blog/2005/11/sony-no-more-rootkit-for-now.html

11/15/2005 12:32:22 AM

it's getting worse..... this looks to be something Mark ^ touched on in his write up, but is discussed more in the comments and here -
http://www.freedom-to-tinker.com/?p=927
http://www.schneier.com/blog/archives/2005/11/still_more_on_s_1.html

Quote :

"The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program — an ActiveX control created by the DRM vendor, First4Internet — called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission. "

11/16/2005 3:37:34 AM

^ I saw something along the same lines from the Washington Post. I don't think Sony can get much worse bad press over something.

I wonder how high this fiasco will rate compared to worms and such 5 years from now.

11/16/2005 3:40:30 AM

[Edited on November 16, 2005 at 5:36 AM. Reason : there's been a recall, for those of you who won't get it.]

11/16/2005 5:33:54 AM

with microsoft backing hd dvd and sony in the shitter, i think hd-dvd is gonna win now.

11/16/2005 5:36:15 AM

I dunno, I imagine there will be dual players/writers though maybe not in the beginning. Kinda like dvd - and + r.

11/16/2005 5:41:11 AM

i wouldn't exactly say "sony is in the shitter".... for sure, this incident is putting a black mark on their reputation for the moment. But this is still mostly a geek obsession - "most people" still don't know or care what Sony is doing to their CDs. All in all they're still a huge, diverse company that makes thousands of products that people will buy regardless of this music CD fiasco.

and dont count out the PS3 and it's Blu-Ray standard support

11/16/2005 7:09:22 AM

i hadn't noticed that bruce schneier was getting involved with this as well. of course i'm not surprised, but i hadn't noticed. i'm confident this will get included into his monthly crypto-gram for even further distribution.

11/16/2005 9:11:34 AM

Sony Yanks Copy-Protected CDs:

http://news.yahoo.com/s/pcworld/20051116/tc_pcworld/123560

and Russinvich declares victory:

http://www.sysinternals.com/blog/2005/11/victory.html

[Edited on November 16, 2005 at 4:51 PM. Reason : asdf]

11/16/2005 4:46:59 PM

<who> I will write on a huge cement block "BY ACCEPTING THIS BRICK THROUGH YOUR WINDOW, YOU ACCEPT IT AS IS AND AGREE TO MY DISCLAIMER OF ALL WARRANTIES, EXPRESS OR IMPLIED, AS WELL AS DISCLAIMERS OF ALL LIABILITY, DIRECT, INDIRECT, CONSEQUENTIAL OR INCIDENTAL, THAT MAY ARISE FROM THE INSTALLATION OF THIS BRICK INTO YOUR BUILDING."

<who> And then hurl it through the window of a Sony office

<who> and run like hell

11/16/2005 4:58:59 PM

hahahahaha sweet

11/16/2005 5:03:37 PM

Quote :

"i hadn't noticed that bruce schneier was getting involved with this as well. of course i'm not surprised, but i hadn't noticed. i'm confident this will get included into his monthly crypto-gram for even further distribution."

even better. Schneier has been writing monthly columns for Wired. Guess what his latest one is about -
http://www.wired.com/news/privacy/0,1848,69601,00.html

11/17/2005 10:53:47 AM

for those who haven't been paying any attention to this, that's a nice recap in three pages.

11/17/2005 11:14:15 AM

Quote :

"The user can simply apply a fingernail-sized piece of opaque tape to the outer edge of the disc, rendering session 2 - which contains the self-loading DRM software, unreadable. The PC then treats the CD as an ordinary single-session music CD, and the commonly used CD "rip" programs continue to work as usual. (Gartner emphasizes that it does not recommend or endorse this technique.) "

11/21/2005 12:00:25 PM

^ i just saw that

funny as hell

on fark it says "Not wanting to be outdone by markers, tape thwarts Sony's latest anti-piracy software. Next revision of DMCA to ban office supplies"

11/21/2005 12:18:55 PM

pwnt

11/21/2005 12:47:20 PM

Naturally, the head of the RIAA says that Sony did nothing wrong.

http://www.malbela.com/blog/archives/000375.html

Quote :

"The problem with the SonyBMG situation is that the technology they used contained a security vulnerability of which they were unaware. They have apologized for their mistake, ceased manufacture of CDs with that technology,and pulled CDs with that technology from store shelves. Seems very responsible to me. How many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?"

Of course he would say that.

11/21/2005 12:52:13 PM

some kid was telling one of the bus drivers about this today

i was like, "omg dude, he really doesn't give a damn"

11/21/2005 1:22:41 PM