Posted on 11/17/2005 6:09:52 AM PST by ShadowAce
When the news first broke in the mainstream press that Windows expert and blogger Mark Russinovich (he wrote a book about Windows for Microsoft) had found that Sony's anti-piracy efforts had gone too far and that Sony's DRM was installing an undetectable rootkit on customers' computers which they couldn't safely remove, the first reaction from Microsoft was guarded. They were concerned, they said, and were evaluating what, if anything, to do:
Microsoft, which also ships an anti-spyware program, recently renamed "Windows Defender," hasn't yet decided whether it will also flag the Sony DRM software as malicious code, the spokesperson said."Microsoft's Windows Defender and the Malicious Software Removal Tool [MSRT] have established objective criteria to determine what code will be classified for removal. We are evaluating the current situation to determine if any action from Microsoft is necessary," the spokesperson wrote in an e-mail statement.
Computer Associates and Symantec had already announced they would add detection of the Sony rootkit to their security software, but Microsoft needed time to think. Now, they've decided to zap the rootkit also:
The software giant's Windows AntiSpyware application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology. . . .Detection and removal of the XCP rootkit will also appear in Windows Defender, the next version of Windows AntiSpyware when that makeover ships.
Meanwhile, antivirus firms are already warning about a new trojan in the wild taking advantage of the rootkit. This story raisess some questions. These CDs with rootkits have been sold for 8 months. Where was Microsoft? Why didn't they and antivirus companies notice this rootkit themselves long ago?
When the story first hit, here's the explanation given by First 4 Internet, the company that wrote the rootkit for Sony:
The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said.
So, Symantec and "the big antivirus companies" already knew about the rootkit? According to this statement, it seems they did. Are they then liable as well as Sony?
Groklaw member alangmead asked another valid question in a comment to an earlier article: Does that mean that Microsoft knew also and was complicit, deliberately ignoring the rootkit? Alternatively, if not, might one not legitimately ask if Microsoft's anti-spyware is "sophisticated enough to detect the system changes" made by Sony's DRM? Which explanation is worse?
I can't help but wonder about a third possibility. Charlie Demerjian recently wrote about what he views as the new Microsoft PR technique. He says because Microsoft lacks credibility, they don't put out press releases on certain stories. Instead they leak it to the press or to blogs. I'll let him describe it for you:
MS has taken to 'slips', 'admissions' and 'leaks' in ways that it 'really should not have' done. The reporter pounces, and the Microsoft spokesperson gets all defensive and asks that it not be published, blah blah blah. Memos leaked to the right people have a similar effect, as do blog entries as a first line of press knowledge. Few things work better than a grass roots spreading of 'facts' that the mainstream press 'notices'.Few PR efforts or change of direction come in press releases any more, they all come from blogs and leaked memos. The people who pick the stories up and grassroots spread them tend not to mock as much as the real press. Those that do can be easily laughed off by real PR as the lunatic fringe. Basically, Microsoft is using the boggosphere to do its PR for them, and we are supposed to be the pawns.
Is that what happened here? I have no idea, but I know it's the right question. I'm not in love with Sony at the moment, but fair is fair.
I thought it was important to mention all this, because of the litigation. Just how deep does this betrayal of customers go? F-Secure, who was not part of the complicit agreement apparently and discovered the rootkit independently, according to Russinovich, explained on November 4 on their blog why rootkits are a security problem:
A member of our IT security team pointed out quite chilling thought about what might happen if record companies continue adding rootkit based copy protection into their CDs.
In order to hide from the system a rootkit must interface with the OS on very low level and in those areas theres no room for error.
It is hard enough to program something on that level, without having to worry about any other programs trying to do something with same parts of the OS.
Thus if there would be two DRM rootkits on the same system trying to hook same APIs, the results would be highly unpredictable. Or actually, a system crash is quite predictable result in such situation.
So imagine a situation where Joe Customer buys CD from label A and another CD from label B. Label A uses third party DRM from company X and Label B uses from company Y.
Then our user first plays one of the CDs in his PC, and everything works fine. But after he starts playing the second CD, his computer crashes and wont boot again. This is something I would not like to associate with buying legal CDs.
The Department of Homeland Security agrees. This IP protection is now threatening our security. How did everyone lose their sense of proportion? I earlier put a link to the audio of Stewart Baker, Department of Homeland Security Assistant Secretary for Policy, in News Picks, but what he said is so important, I wish to repeat it here:
"It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."If we have an avian flu outbreak here and it is even half as bad as the 1918 flu, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is going to be a matter of life and death and we take it very seriously as well." - DHS Ass't Sec'y on Policy Stewart Baker
Copyright infringement is important to companies like Sony, of course, but if, when enforcing their rights, they end up exceeding their actual rights and endanger our lives in their quest to protect mere money, something is seriously out of balance. I also most sincerely hope that the DHS realizes the security value of the GNU/Linux operating system, as well as MacOSX. If the Department is relying exclusively on Windows, I am frankly terrified.
By the way, if you'd like to hear the immortal words from First 4 Internet about rootkits and how customers don't know what they are and so needn't care about them, here you go. Your choices to listen to the audio are Windows Media Player or RealPlayer. Is it time, folks, for websites to broaden the choices they offer people? Some of us are afraid to use Windows, you know.
And for any of you who are staring at your Windows computer and wondering just how bad it is in your personal case, may I encourage you to think about GNU/Linux systems as a remedy? It's one advantage of FOSS software that there is no code you are not allowed to examine. That's part of what the Free means in Free Sofware and the Open in Open Source, that you are free to look at the code and are free from secret corporate dirty tricks and private gentlemen's agreements that put your security at risk.
work now, read later
I have a question...I use Symantec's Internet Security Spyware Edition. Is that as sufficient as Microsoft's removal tool?
How is this helping the artists?? And what is the law about me buying a CD and burning a copy for my Husband to use at work? He's a contractor and wouldn't want to take anything but a burned copy to a jobsite.
The Sony debacle is worse than the one by Intuit in their TurboTax a couple of years ago. Intuit implanted a tiny file on the boot sector of the hard drive, and the only way to remove it was to completely reformat the drive. They lost me as a customer after over 10 years of continuous business, simply because of their attitude toward honest, paying consumers.
I honestly don't know. I use AVG as my anti-virus for those times I am forced to be on a Windows machine.
Same here. I use TaxCut now.
I believe that "fair use" laws allow that, as long as it is for personal use only (like you described).
Sony has ever right to protect its products.
"I understand that there are probably a few people here who refuse to believe anything PJ says, but please--refute her on the facts rather than using any ad hominem attacks."
I believe that in this article she's the one doing the attacking with little by the way of facts.
First 4 Internet is responsible for the software they write.
It's doubtful that First 4 Internet revealed much of their copy protection software to anyone without NDAs in place. The DMCA also makes it legally difficult to go public about flaws in copy protection schemes.
At worst Microsoft or Symantec didn't rigorously test someone else's product. It's not Symantec's fault that First 4 Internet created a product with incredibly huge security holes, unless they were being paid as consultants to investigate such issues for First 4 Internet.
It's First 4 Internet that did a horrible job on their product, and it's they that should pay the price.
It appears that they are trying to spread the blame to avoid full accountability.
It appears that PJ is looking to try spread the blame onto others as well without any facts justifying it.
Understood. However, during that initial software review by MS, shouldn't MS have denied access to the low-level APIs for this purpose? With that one action, MS could have headed this off before it ever became an issue. With a refusal by First 4 Internet to play along, MS could have gone ahead and warned the public about it, or at least incorporated this rootkit into their Windows Defender software.
It's First 4 Internet that did a horrible job on their product, and it's they that should pay the price.
Agreed. 100%.
It appears that they are trying to spread the blame to avoid full accountability.
There may be blame here to go around. I'm not saying that MS is culpable in this farce, but they could have (if they knew about it) incorporated the detection for this into their own product.
You are absolutely correct. So what? Sony does NOT have every right to protect its products in every possible way. The point is that the method they used crossed the line between what is acceptable and what many think is unacceptable.
Sony has ever right to protect its products.
What MS is doing is CYA. And to be honest, nobody (users and MS) expected a computer virus to come from the CD-Rom through a Music CD. A-drive yes, but not a CD-Rom drive.
This attitude has been pervasive since the virtual dawn of personal computing. Every time it causes lost customers. Sometimes a company literally goes under and then blame their customers for not embracing the company in light of its hostile efforts.
The efforts attacking the consumer are statistic noise when it comes to the problem of piracy. These efforts will not stop the well organized illegal duplication efforts in China, for example.
How would Microsoft like it if a hardware manufacturer decided to break the XP activation requirement? That's the kind of position they've taken regarding SONY's DRM-enabled music discs.
More and more mammoth media interests have been buying off Congress to shape intellectual property law to hinder competition and narrow consumer rights. The notion that works will pass into the public domain has become all but meaningless in our life times all the while some content creation companies, such as Disney, reaped the benefit of past works which have moved into public domain.
We need to demand reform. We need a patent office with competent and qualified reviewers, skilled in the technical arts who won't be handing out patents like pez candies. We need to take back "public domain" as the founder's intentioned.
Sony has absolutely no right to implant a file on my system that causes a security compromise. They should be held legally liable for any such activity, including (but not limited to) the cost in hourly wages and/or cost of having a professional IT person remove it from my computer.
This is a classic lawsuit just waiting to happen.
How can you take Sony's action and turn it into a "blame Microsoft" situation? Sony is the culprit here, Microsoft is merely taking action to protect their own customers through the removal procedure.
The fact that the code was "cloaked" makes it damn certain that they knew that what they were doing was wrong; I believe the legal term is "evidence of concioussness of guilt", or something like that.
What Sony did is a felony in many countries, including the US.
This is going to be *very* interesting as it plays out, and I predict that it is NOT going to go away quietly.
Well, "First 4" and Sony. Both are culpable. Sony is going to lose business BIG TIME because of this. I will in future refuse to buy ANY product that I know is put out by Sony--not jus their copy-protected CD's.
The market of consumers for SONY music acts will correct this "problem" if it is a problem. It is not Microsoft's right to disabled SONY's DRM. If you begin to allow Microsoft or any other corporation a toe into regulating other company's products, you'll find yourself in a place you most definitely do *not* want to be.
If the product is flawed, again, that's for SONY to correct. Or Microsoft. Or Apple. Or Symantec. Or any company for its own product. Even so-called "security patches" have been known to open other security risks. Try uninstalling a piece of software. How often do you not actually rid the system of each trace? How many "trial" software installs have caused legitimate customers problems when a full product has been purchased? These things happen.
My choice is to avoid this problem music distribution and therefore punish any company using methods that I don't appreciate.
Hmm. Interesting position. So it is your position that MS cannot protect it's own IP (the CD driver) from being hijacked by another company trying to protect it's own IP?
I guess it would also be your position that consumers should not try to remove Sony's (First 4 Internet's) IP from their own computer for the same reason?
As a far as I can tell Sony has been irresponsible, has gone too far. I'm not a tech expert.
Sony and Microsoft are major players in the emerging DRM future. Where if you wanna play, you gotta pay. Nobody rides for free.
Thus the diplomatic tone where Microsoft and Sony have no wish to offend each other. Meanwhile the end user (read sucker) gets his computer filled with Sony's trash.
I can see where Sony would not want to offend MS. What does MS have to lose by offending Sony? There are many other labels that would be only too happy to work with MS. Sony's choices are pretty limited here.
I'm with you on that, but if any of these companies were consulted, and they were told about the rootkit, one would hope that they'd said something about it. I mean, installing a rootkit like they did should have been an immediate red flag.
I believe it is quite likely that if Sony or First 4 contacted any of these other companies regarding their product, it is likely they didn't fully reveal the nature of the rootkit to them.
"Understood. However, during that initial software review by MS, shouldn't MS have denied access to the low-level APIs for this purpose?"
I think Microsoft has taken enough of a beating over denying access to APIs through the anti-trust lawsuit. Microsoft has it's own DRM technology, and it would be considered anti-competitive for them to prevent others from using the APIs.
The problem isn't that First 4 Internet used the APIs to create a copy protection software. The problem is that the did so incompetently.
"With that one action, MS could have headed this off before it ever became an issue."
You're also assuming that MS know the details of their implementation, which is unlikely at best.
"With a refusal by First 4 Internet to play along"
Why was Microsoft supposed to know there was a problem in the first place in order to urge First 4 Internet to fix it?
"MS could have gone ahead and warned the public about it, or at least incorporated this rootkit into their Windows Defender software."
When Microsoft was made aware of the problem, they investigated it and they incorporated detection and removal in their Defender software. The article doesn't say otherwise. It complains that they didn't do it IMMEDIATEDLY. Instead they took a couple days to look into the issue and decide how they should address what is in reality someone else's problem.
The solution should have come from First 4 Internet and Sony. Microsoft is spending their own develompent dollars to put a fix in for free, and they're getting criticized for not doing it fast enough by abunch of ungrateful, armchair quarterbacks.
It basically people treating Microsoft like liberals treat the government. There's something wrong with my computer because of some software I installed that someone else made. Microsoft need to fix it!
"There may be blame here to go around. I'm not saying that MS is culpable in this farce, but they could have (if they knew about it) incorporated the detection for this into their own product."
The evidence seems to indicate that they did exactly that, once they were made aware of it. They even did it at their own expense, which is admirable.
Ummmm, I don't have any of the CDs and don't have the software, but I'm betting that when the CD is installed it pops up a liscense agreement and gives you the option of installing their software.
Now it does seem questionable if their software reporting back to sony without notifying the user is legal, and that's likely going to get litigated.
However, I don't think Sony installed copy protection of people's computers without them being aware of it.
First 4 Internet is responsible for producing a product that made people's computers less secure.
Sony is responsible for not doing a better job of making sure the software they were using from First 4 Internet was a quality product.
Sony is also responsible for having this software report back to Sony without making the user aware that the software was doing so.
I agree that not buying CDs put out by Sony is a reasonable way to hold them accountable for their actions.
I don't know all the facts, but in principle, any company that collaborated in this fiasco is partly responsible.
I hope some lawyers get rich on this. This is a digital Bhopal.
That's the problem, you see. Nothing ever indicated it was installing this software.
Nothing.
However, I don't think Sony installed copy protection of people's computers without them being aware of it.
You're incorrect. The major reason for this outcry is that Sony DID install software on consumers' computers without them being aware of it.
According to Mark Russinovich, on his blog describing the discovery:
I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad.Sony never mentions anything about it.
You obviously didn't read Russinovitch's article. He specifically looked for such language in the EULA, after he had removed the rootkit. It wasn't there. Whatever he had consented to, it didn't include having his box rooted.
I read Mark Russinovich's report. It says that he was unaware that it installed a rootkit, not that he was unaware that it installed software. To listen to the CD on the computer you had to use their media player, so it's not credible that people would not know that Sony installed software on their PC.
"Through a detailed analysis of communication between the media player installed from the Sony CD and the rootkit files, Russinovich was able to determine that the rootkit files were installed with the media player and communicated with it."
Russinovich was aware that he installed the media player, he was unaware that the rootkit was part of that install.
And you think that makes it OK? That he "consented" to this?
This is true of all current spyware. You have to agree to have software installed.
There are a couple of problems here. Websites require so many plugins that people just ignore the warnings and agree. It's a habit.
Second, once the Sony kit is installed, you are no longer warned about programs being installed, particularly if you use Sony's removal tool.
How'd you learn about 'this problem' to know to avoid it?
If Sony had used a pop-up notice, and informed the customer that a 'rootkit' would be installed in their PC and that their PC would phone home on its own to report their habits, how many would have continued to use the CD in their PC?
I think observers made aware here have a different feeling about this than those that purchased and used a Sony music CD in their PC, and are now facing a rootkit removal that might trash their HD.
Well and good, so long as their protection measures do not transgress the sanctity of MY hard drive. I pay for a CD, I want a CD, not cloak-and-dagger software sneaking around behind my O/S.
What next? Every Sony CD comes with an illegal alien who goes home with you and follows you around everywhere to make sure you don't make illegal copies?
FEH!
"And you think that makes it OK? That he "consented" to this?"
Do you think that other software you install lets you know exactly what it will do? Does your antivirus software let you know when you install it that it might contain a rootkit?
I haven't read the EULA, I don't know what it says. I agree with you that it should tell the user that they are installing copy protection code. They should also have to provide an uninstaller since the software hides itself from the operating system and cannot be removed by normal means.
The fact that this software allowed others programs to hide on a person's PC is a bug. It's a huge security hole.
But they didn't install software on the user's PC without the user being aware of it.
The fact that it opened up the user to having trojans hide on their PC was an unintended consequence of bad programming by the developer.
The software I install on my machine does exactly what it is advertised to do and no more. There are no hidden rootkits, DRM, virus, trojan, or anything similar on my machine.
Of course, I don't use Windows, so I have more control over my computer than most people have.
The fact that it opened up the user to having trojans hide on their PC was an unintended consequence of bad programming by the developer.
Perhaps. Perhaps not.
To a point, the original poster may be correct. It is still debated if disabling any company's DRM is legal (no matter what the circumstance) is legal under the horrible laws we have in place now.
It's also debatable if we are all breaking the law by discussing ways to disable SONY's copy protection scheme under the DMCA.
I imagine this is why Microsoft has been very careful about how they approach this situation. Under the DMCA and the EU's equivalent law, Microsoft could easily be liable criminally if they approached this in the wrong way.
Unfortunately there is a good chance that Sony is totally protected under the DMCA. If anything, the companies that provide removal tools will most likely be the ones sued and prosecuted.
Then terrified this writer should be. I can count the number of times I've seen a non-Windows machine in a federal government setting on the fingers of one hand.
Generally speaking, you probably want to have more than one anti-spyware program on your PC, because none of them catch everything. I see nothing wrong with you installing Microsoft's tool as well. I don't know if you'd want to leave both the Symantec and Microsoft tools running live at the same time, just because it might be a waste of CPU resources. Maybe keep one live in your system tray and use the other to run manual scans once a week or so.
I understand where you're coming from. I also agree that this is probably reality. If this is truly the case, we are screwed. It needs to be fixed.
I read the article. There's no mention of a rootkit in the EULA, of course the term rootkit wouldn't mean anything to 99.999% of the people buying the CD anyway, so that's kind of a pointless argument.
He's what the EULA says:
"As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise. "
That sounds pretty clear to me that they are going to install DRM software on my PC. This is where I click no and don't install the crap.
Russinovitch makes an extremely important point that the EULA does not telling you that you are installing software that you cannot uninstall. That should land Sony in court.
My point wasn't that Sony did a good job of making it clear what they were installing or that they fulfilled their responsiblity in the matter.
However, this software didn't just get put on people's computers with no notification. They choose not to read the EULA or didn't understand it.
People do have some responsibility to know what they are installing on their systems.
I hope this is the outcome for Sony and First 4 Internet, they richly deserve such.
"The software I install on my machine does exactly what it is advertised to do and no more. There are no hidden rootkits, DRM, virus, trojan, or anything similar on my machine."
Out of curiosity, do you use any closed source drivers on your Linux box?
A rootkit is just a name for software that hides things from the nurmal OS interfaces. It hides things from those who don't know the OS well enough to dig in and find them.
Mark Russinovich used to teach classes for OSR on writing drivers. I don't know if he taught the classes on the interfaces that would allow for creating a rootkit, but I know he taught other driver classes, because I took a class from him.
People writing anti-virus software are going to creat rootkits. When you tell someone to instal an antivirus program you're likely telling them to install a rootkit.
Read Russinovich's original article. What pissed him off was that the software had huge security holes and that it didn't come with a way to uninstall it.
Sony/First 4 Internet definately did some underhanded stuff with their software because it reports back to Sony. However, I would expect just about any DRM software to include some form of rootkit. It's not surprising that this software includes a rootkit. It's surprising that it's easily exploitable, and that it's reporting back to Sony when it's used.
Actually, I don't. There are closed source drivers available for various elements of my system (ATI, wireless, etc), but I choose not to use them. I don't use any software that requires them, and feel no need to install them just so I can claim that I can run 3D shoot-em-ups on a linux box. Also, if I do decide on installing closed source driversin the future, plenty of research will be performed to be sure that they are only that--device drivers and nothing else.
Mutually incompatible rootkits would be even worse. So would a rootkit designed for one manufacturer that "accidentally" interfered with one designed for another. Don't think it won't happen.
I have a simple solution - purchase NO copy-protected CD's. When the artists start bitching that their sales are down they will know the reason why. That is the only way we're going to reach these people - they have been very careful to see that pertinent laws protect them, which is why they have legal staffs and cryptic EULA's.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.