“if a teenage kid had done this, they’d be up on charges.”

Sony Music is selling copy protected music CDs that install a poorly written rootkit on your computer. There DRM (DIgital Restrictions Management) software keeps you from making unauthorized copies of your CD, and eats up computer system’s resources, making it run slow and crash. You can’t play the CD on your computer without installing their software, and the software is the rootkit. Rootkits are bad, they’re security bypassing software, usually to let others take control of your computer, and stay hidden while doing so. The insidious thing about this root kit is it’s shit simple for any one to write an exploit to use it as the basis for their own worm/virus/trojan/spyware/spam tool, and own that would be invisible to security software or scanners you might have running (if you have any sense, that is) from Battino’s O’Reilly Blog:

Just few days ago I wrote a rootkit that acts as a DRM system. I was thinking I could demonstrate that the [European] law will protect malware, too, which is obviously unintended. But to see the same techniques are used in an actual DRM scheme already being deployed, I’m shocked.

Thanks Sony! Now when I write my worm, all I have to do is name it “$sys$” and it’ll be “auto-cloaked” on systems you’ve compromised.

My scan tools will trip over this as an altered system call. Meaning much more work for me, much more work for the systems administrator, and much pain for everyone all the way around in the longer run.

(Earlier in this post the author wonders how Microsoft will react. So do I. If they don’t come down hard on Sony, who’s gonna believe their “Trusted Computing” BS. But they spend so much time sucking up to them…does anyone know why a company with more money in the bank then the entire entertainment industry combined is so scared of it?)

The Malware/worms/virii shitstorm from people who didn’t know about the rootkit and loaded these CDs on their computers will take years to eradicate. Sony will probably get off scot free, and dump their surplus inventory on the third world to cripple their nascent infrastructure…

The geeky meat of how this was discovered is here.

If you’ve already loaded one of these CDs, either hire your local geek to disinfect, or backup and reload Windows. Try and get a refund on your CD-good luck there, most place will not take a return unless it’s scratched. But that’s not all you should do.

Do Not Buy Sony Music on CD. Do not play their CDs on your computer. Hell, let’s boycott all Sony products and teach them a lesson. Because if we don’t, this will keep happening, and it will keep getting worse, with ever more corrupt software wedging your computer, and slowing the net to a crawl.

Unless your among the supposed majority of people on this planet who believe that Companies and Rich People may do what they want (y’know who you are, you voted for Bush and Blair). In which case just bend over and spread it like the good sheep you are.

Again from Battino’s blog post:

The odd thing is, this must have been happening for some time. This shows just how poorly we’re protected by virus scanners.

It’s ironic that Sony, the ones who brought us Fair Use in video [by defeating the Betamax lawsuit] are as draconian as they are now.

(with thanks to the Reel Jeff for the heads up, and the quote.)

4 thoughts on ““if a teenage kid had done this, they’d be up on charges.””

  1. Thanks for the head-up.

    I downloaded rootkitrevealer, ran it on my computer, and came up clean (just some harmless stuff from the program itself, and a Norton timestamp.)

    But, in an excess of caution, I took a suggestion on the discussion board for the blog where I got it, and disconnected myself from the network first.

    Was that wise? Should I run it again while connected to the network, or will that screw up the network?

  2. I can’t say anything about the state laws on spyware, because I don’t know them.

    And anything I say about the other claims has to be qualified, because the EULA selects NY law, and I don’t practice NY law.

    But I wouldn’t get my hopes up about a civil suit based on the EULA. Even aside from all the disclaimers in the EULA, the presence of the DRM system is prominently disclosed on the Amazon link on the page you link. And the language in the EULA is probably enough to insulate Sony from liability for failure to disclose any more details.

    Anybody who bothered to read the warning, or the EULA, knew they were getting DRM software installed on their system. Granted, the software is (presumably — I don’t know — how does Apple do it?) more intrusive and problemmatic than, say, what Apple does with iTunes. But consumers wouldn’t know the difference anyway.

    Sony is not, by a long shot, the only company which puts dangerous, intrusive shit on your drive. It’s how the tech industry does business, for God’s sake.

    Now, Ffej, go ahead and make me out to be the Great Satan for suggesting that there’s not much anyone can do about this. But keep in mind that I like it less than you do.

    I don’t buy copy-protected CDs. Period. I don’t download music. Period. I operate on the assumption that the control freaks in the tech industry put all sort of malicious crap on my computer, and act accordingly. This incident demonstrates that’s a safe assumption.

    I don’t own a computer. Period.

  3. Below is a link to a very good article, which explains exactly why Sony is a piece of shit for doing this.

    Now, copy and paste that article, and substitute “internet explorer” for every reference to the Sony DRM software, and substitute “MSN” for every reference to “Sony.” Granted, there may be some technical differences in the problems, but the overall problem is basically the same.

    You can do that with many, many software programs out there that are loaded on to hard drives all over the planet.

    This is an indictment of the way the most of the tech industry does business. Everyone uses ridiculous EULAS. Everyone uses DRM. Everyone uses EULAS you don’t see until after you buy the shit. Everyone is control-freaky about their “intellectual property” rights. Everyone does shit to your computer that you don’t know about, and can’t find out about unless you’re a techie.

    To a consumer (what I am — I lack any meaningful technical skills,) the attitude is: “So why you picking on Sony — you all do this shit to me too?” To a consumer, it seems that the tech industry has decided to make the music industry the whipping boy for all the bad practices the tech industry invented. That’s scape-goating, and denial.

    Techies, heal thyselves.*


    *Not counting the heroes who produce open source systems, subject to public licenses — you are our only hope, God bless you.

Leave a Reply