Posted on 11/18/2005 3:16:07 PM PST by Eagle9
Sony's controversial copy-protection scheme had been in use for seven months before its cloaking rootkit was discovered, leading one analyst to question the effectiveness of the security industry.
"[For] at least for seven months, Sony BMG Music CD buyers have been installing rootkits on their PCs. Why then did no security software vendor detect a problem and alert customers?" asked Joe Wilcox, an analyst with JupiterResearch.
"Where the failure is, that's the question mark. Is it an indictment of how consumers view security software, that they have a sense of false protection, even when they don't update their anti-virus and anti-spyware software?
"Or is it in how data is collected by security companies and how they're analyzing to catch trends?"
Sony's list of 52 albums with the XCP copy-protection include CDs that were released as long ago as late March, said Wilcox.
"If Sony's software exhibits so many characteristics of a malicious rootkit, why wasn't it detected?" Wilcox asked. "When you have half a million or a million or two million CDs all 'phoning home' to Sony, shouldn't that trigger some [warning] somewhere by something?"
Early in the Sony brouhaha, researchers found that the Sony copy-protection technology surreptitiously transmitting the user's IP address to Sony.
"We all missed this," acknowledged Sam Curry, vice president of Computer Associates’ eTrust security group, which develops and sells the PestPatrol anti-spyware line.
"It has to do where security companies look for malicious code, and where samples come from. We still need that first sample in order to identify a threat. The whole security community failed to go to stores and check out commercial CDs."
Anti-virus and anti-spyware security vendors essentially rely on two sources for the malware samples necessary to create detection definitions, Curry went on. One source is users who report problems, the other is proprietary networks of honeypots -- dubbed honeynets -- set up to snare worms and spyware.
"Why did we miss this? We didn't check CDs or DVDs for malicious code like this rootkit," said Curry. "Now, though, we've begun a program where we'll regularly go out and buy sample CDs and DVDs from the major labels and studios, and check them for things like this."
And only users who are very well versed in Windows -- as is Mark Russinovich, the researcher who was among the first to go public with information about the Sony rootkit -- would be likely to send in reports to a security vendor, added Curry.
Curry offered up other excuses for his industry missing the rootkit boat.
"Frankly, we were busy looking for where the [spyware] money was going," said Curry. "We weren't looking at legitimate industries."
He also said that Computer Associates had the rootkit on its radar this summer, but didn't act. "CA did catch one of the earlier iterations of this rootkit in July, but we only saw a sample or two. It just wasn't very widespread. It wasn't a very big bell ringing." Now, however, it's a different story.
"Admittedly, the security industry is too reactive. But this has been a wake up call for all of us."
Other anti-spyware firms contacted for comment declined to respond. At least one cited legal issues.
Curry blasted such colleagues. "I've yet to hear many in the industry come right out and call the Sony rootkit 'spyware.' That's unforgivable."
|
Note: We will shortly be releasing new versions of these titles without the XCP software. You therefore need to check this list for both the name of the album and the item number (which can be found on the spine of the CD). If the item number is not listed below, your CD does not contain XCP content protection.
Note: Two titles, Ricky Martin’s "Life" and Peter Gallagher’s "7 Days in Memphis" were released with a content protection grid on the back of the CD packaging but XCP content protection software was not actually included on the albums. |
I'm amazed anybody bought any of those albums, except maybe for the Sinatra.
whew!!..Jahati's Used Turbins cool camel nights didn't make the list
Doogle
Sony had very specific markets in mind.
Note how far it went into the various networks.
Why? Because damn few people actually know what is really happening on their Windows PC. It is intricate and esoteric. For myself, I just wipe the damn things when they start acting funky. It's too much of a bother to track this stuff down anymore.
Looks like the "old fart" market!
ROFL
Who's got the money?
The government ;)
Oldies. This is not stuff aimed at high-piracy market segments. Sony would have done better to start with rap and hip hop.
Oh, no! Not "Bette Midler Sings the Peggy Lee Songbook"!
I was just planning to buy two dozen for Christmas gifts!
</not >
I see some good stuff on there, and some junk. If I were one of those artists I'd be fuming over this!
#18, 27, and 28 are re-issued jazz classics
There may be 52 titles but how many dozen customers were affected?
Sort of a contradiction in terms, no?
I'm not sure anybody knows how many people had the rootkit on their computers but it infected a large number of networks worldwide. See example below.
Source: http://www.freerepublic.com/focus/f-news/1522663/posts
More than one-half million networks infected by Sony including U.S. military and various countries.
Well, I'd also add the Louis Armstrong.
Thanks. For many of those titles, I was asking myself if anyone would buy a CD.
Probably the most reliable person who has touched on the issue is Bruce Schneier, in this article (the followup discussion is also somewhat interesting.) To take a selective quote from his article:
The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us.
I was just planning to buy two dozen for Christmas gifts!
Bette Midler and Sony's copy protection, 2 reason to give something to someone you don't like
Agreed. Would anyone who purchased a Shel Silverstein, Burt Bacharach or a Neil Diamond CD even know how to rip a CD?
Where they afraid that illegal copying would drop their sales from thousands to hundreds of albums?
Thanks for the link to Schneier's weblog. I think he did an excellent job of researching and analyzing the rest of the story.
This has been yet another example, i.e. Dan Rather, of Internet bloggers and bulletin boards not letting the MSM control the news.
Bloggers Break Sony
November 16, 2005
[excerpt]
"It seems crystal clear that but for the citizen journalists, Sony never would have done anything about this," says Fred von Lohmann, senior intellectual property attorney for the Electronic Frontier Foundation, a cyber liberties advocacy group that has been vocal in its condemnation of Sony and may eventually file a a lawsuit against Sony, in addition to three that have already been filed. "It's plain to me that it was Sony's intent to brush the story under the rug and forget about it."
Alan Scott, chief marketing office at business information service Factiva, said, "I think that we're in an entirely new world from a marketing perspective. The rules of the game have changed dramatically. The old way of doing things by ignoring issues, or with giving the canned PR spin response within the blogosphere, it just doesn't work."
Hey....
I've got the new Switchfoot albumn. I just dug it out and it says it has stuff to limit the number of copies I make. Says nothing about installing sofware on my PC. Fortunately, I haven't played it on my PC.
Switchfoot...
I don't have any of their albums.
1. Installs software BEFORE the EULA is accepted
2. Phones home
3. Has no uninstall
4. WWW uninstaller leaves the same blatant security breach
none of which has been particularly discussed in the mainstream media.
For info see here.
.
Also, in an event unnoticed by almost everyone back in October:
SunnComm is threatening to sue the student who exposed part of this for $10 million!!!!!
"SunnComm has threatened Princeton PhD student Alex Halderman with the Digital Millennium Copyright Act (DMCA) for exposing a key weakness in the company's latest CD copy protection technology, MediaMax CD3. The company said today it will take legal action against Halderman for revealing how MediaMax CD3 can be bypassed by holding down a Windows PC's Shift key when a protected disc is inserted......
"SunnComm today said the paper was "erroneous" and contains "false conclusions". On the back of said, "Halderman and Princeton University have significantly damaged SunnComm's reputation and caused the market value of SunnComm to drop by more than $10 million," the company alleges.
For more see here. The student's original paper is here.
Note: the above quoted article's statement that the SunnComm software waits for the EULA before installing the DRM software is incorrect, the software is installed and RUNS before the EULA appears, the RUN on any subsequent bootup, however, is unchecked until the customer accepts the EULA.
For more info on the SunnComm pre-EULA install , and all of the related issues which are just as bad as the First4Internet’s XCP DRM, see here. I encourage you to read this very well done article.
.
Sony should now be being roasted just as bad to the SunnComm DRM which is still being shipped and which has not had the media uproar that it also justly deserves.
Nope. Switchfoot is Teen Christian Rock.
Isn't that what usually happens when a company that sells snake oil gets exposed? Is SunComm trying to suggest that it should be illegal to expose snake-oil salesmen?
Some of these are recordings 50 and more years old for which Sony pays zip royalties (if they,or the previous owners ever paid), and unlikely to ever show up on the PnP networks. What were they thinking?
Thanks for the links, especially that last one. I had read about Sony's SunnComm DRM on CDs but not about how it installed before the EULA.
The negative publicity for Sony is far from being over -- just now really starting.
Several of these jazz CDs had been issued a few years ago but the audio quality of the U.S. version was inferior to those released in Japan. The imported copies were digitally remastered from the original master, often at 20 or 24 Bit instead of the standard 16 Bit. The imports were available here in the U.S. but in limited quantities and at a much higher price. American jazz has always been more popular abroad, Europe and Japan, than in the U.S., until recently. Many albums that were considered as classics are now being re-released here in the U.S. with the same audio quality as the imported versions. That having been said, the sales numbers of all remastered jazz, not just Sony's, would pale in comparison to just one or two hip hop or any other genre that is a chart topping multi-platinum seller. What were they thinking? Except for possibly floating a trial balloon to gauge public reaction, I can't imagine any rational thought being given to such extreme measures as this DRM that Sony has unleashed.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.