Schneier on Security

I'm personally hoping that all this preverse DRM and malware nonsense over the last several years will simply to a more mainstream adoption of the open source desktop.

After all, given that companies only tend to care about their own interests, and often not that of their consumers at all, who do we have to trust but the programmers writing software for the sake of writing good software?

Bruce -

Thanks for pulling all of the details of this sad and sordid affair together into one place that I can point the less security aware toward to get the whole story.

Feeding one individual column after another just wasn't putting the whole thing in perspective...

You are very right in your assesment, the AV companies and Microsoft sold out their users.

I stated on my site a couple of days ago:

"Most conventional media and even AV/Software companies are carefull in their wording, calling this program rootkit-like or spyware-like. This is very untrue. This program is spyware containing a rootkit. It fits all the requirements to be called that and quite frankly, to the end user, it does not matter if it is intended to prevent copying or to connect to rogue irc channels.

This is a piece of software that damages your system and puts your security at risk without your consent. It is not only immoral, but also illegal in most countries (criminal prosecution is already on it's way in Italy) and for the sake of our future security, I hope that Sony is prosecuted to the fullest extend allowed by the law for doing this."

This is a key point, why should a mega-corporation be allowed to do what is illegal for a criminal organisation or a lone cracker.

It's worth considering that companies like McAfee and Symantec might be very wary of declaring this as "bad" code and removing it lest Sony sue them under the DMCA for tampering with their DRM. I fully expect this will not be the last time this will happen.

The story Bruce referenced about Sony pulling the XCP disks from store shelves is dated 11/14. As of last night, 11/16, the Target store in Columbia, MD, still had the Van Zant and Neil Diamond disks, all with the XCP label on the back.

More lies from Sony or is Target just out of the loop?

The other "deafening silence" comes courtesy of certain anti-security research folks. The same people who have argued publicly that identifying vulns should be a crime, and that only vendor employees or contractors should be permitted to do it. The same corporate officials who say that their firms will "of course" look after the customer by fielding only reasonably secure SW, since it would be against their interest not to.

These people just got a nice strong dose of "I told you so", and they now need to admit that the Russinoviches of the world are performing an important service. I won't be holding my breath waiting for this admission. After all, these folks are the same ones who'd have had Russinovich shut up and just report the issue to Sony. That'd be funny, if it weren't so pathetic.

David Durant stated that thought that first came into my mind when reading of the AV companies failure to act on the Sony DRM. Could they have been sued for libel if they called the DRM a 'rootkit' or 'spyware'?

This won't make any mainstream users jump to Linux. It might shift some to Apple but not many. Some dual booters might ditch the MS partition but they would be likely to anyway.

Bingo! You hit the nail squarely on the head.

I've always thought that it was only a matter of time before our so-called "security" products would be compromised by parties having more money than the customers. I have never trusted Microsoft's firewall because I am fairly certain that it has deliberately been made pervious to traffic that Microsoft doesn't want me to control. I used to think McAfee and Symantic were OK, but this episode has forced me to reevaluate.

It suspect that all for-profit companies are susceptible to the lure of cash, and most or all of them will turn against their own customers when enough money is at stake.

Bruce, I think you failed to use proper terminology. That what you call "the cloaking device" is in fact what it make it the rootkit.The name of the whole package can be, for example, the Sony's DRM enforcement software, and not "the rootkit". However the whole "enforcement software" is even without the rootkit feature very mean -- it hooks deep to the system, to the CD-ROM drivers, making potential problems for other uses, it phones home each time you play the protected CD.. The "uninstallation software" was even meaner.

Had all this been done by some person, he'd get a sentece for a very long time in jail. Sony did this and nobody was punished. That's really inexcusable!

"The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us."

Thank you for saying that, Bruce. That was brilliant incisive truth-telling, and it needed to be said. Anyone who buys security software now needs to think very carefully about whom they buy it from.

I generally use OS X, but I was thinking about buying a ThinkPad so that I had Windows XP available to me, too (and Linux if I dual boot). But you know what? It comes with Symantec's Norton antivirus, and I'm *really* not happy about that. First 4 actually claims to have consulted Symantec about the rootkit before they shipped it - and I haven't seen Symantec deny that yet. There's just no way I will have Symantec products on any of my machines now.

Ship it with F-Secure or Kasperksy, Lenovo, and I'll think about it.

I hope a lot of sites link to this piece, because people need to be aware of this.

Another aspect for which Sony is not (yet?) being held accountable is their organizational culture. A culture which
seemingly institutionalizes that:

- Play-list payola is not wrong.
- Faking movie reviews is not wrong.

Now we learn that in the Sony culture:

- Rootkit'ing is not wrong.
- Uninstallers that don't uninstall, is not not wrong.
- Infringing on the copyrights of others, is not wrong.

What's next from Sony? Dunno. But I wouldn't be shocked by much of anything at this point.

-doug

"It suspect that all for-profit companies are susceptible to the lure of cash, and most or all of them will turn against their own customers when enough money is at stake."
Ironically, Sony haven't made money from this, they've lost it, together with lots of respect; and it's unlikely that they would ever make money from DRM- DRM is inherently too easy to circumvent. There's always the analogue hole.

You've miss the real story of what this is about.

Sony does not like Apple. Sony especially does not like the iTunes store and the iPod, which pretty much wrote paid to the Sony Walkman. Sony cannot compete with iPod, so they introduced this "dirty trick" that supersedes even Watergate.

This DRM makes huge chunks of the available "name" music unplayable in iTunes and unable to be written to the iPod. Thus, iPod users would have to turn to Sony technology as a result.

Always follow the money - and the $$$$ here is Sony's attempt to deal Apple a death blow.

"A tale of extreme hubris..."

Well said Bruce.

Security and trust are interwoven. Can we now trust anything from Sony?

I know I won't...but feel free to take your own chances.

Personally, I am outraged by Sony's actions and response.

And they made such quality gear at one time...sigh.

I am now going to re-visit my portfolio to make sure I am not invested in any funds that own Sony shares.

I will never purchase music again from a big-name label, but only directly from the artist.

I will subsidize artists I like who do not make their music available via direct channels by attending their live performances.

Any big-label released music I like, I *will* pirate and I *will* file-share.

I absolutely agree.

Of course, I've always tended to view antivirus firms with a jaundiced eye, as I do any business that profits from others' misfortunes, legitimately or otherwise.

I just can't shake the image of that cartoon of the vulture sitting with his buddy and saying "Patience my a** - I'm going to kill something!"...

This sony thing is turning into a geek version of the "Jerry Springer" show. I can understand the hesitation of the anti-virus and anti-spyware vendors. I can even understand Microsoft not jumping on it the minute the sony DRM package was unveiled. They were probably shocked and confused that a big company like sony would do something like this and decided to tread lightly. It's almost like finding bodies in your moms basement. It's always a little harder to see the enemy within. But now the cat is out of the bag and sony (and hopefully others) are now realizing there is a point when their property becomes mine. As I've said before the ph33r over pirating isn't from the P2P end user, but from the first generation pirate. It's just easier to go after the little guy.

I'm reminded of the old saying, "The Net interprets censorship as damage, and routes around it." In this case, Sony's attempt to "control the situation" ran afoul of the larger system comprising the Internet -- and that larger system reacted almost as an organism, progressively invoking more and more defense strategies in response.

Congratulations, Bruce -- you're part of the Internet's immune system! ;-)

@Robin - while you may be right, I think this story is like the proverbial onion -- as you peel away one layer, you find more waiting beneath. There are certainly many facets to the story, and I think Bruce's commentary is a good warning to all of us as to what we can expect if the interests of the media companies (or the telecom companies, or any other monopoly-wannabes) succeed in getting our legislatures to give them all they ask for.

-EdT.

Thanks for the kick-ass reporting, Bruce. Terrific story!

Deborah

"The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization."

"Multinational corporation" and "criminal organization" are not exclusive sets.

I earlier questioned the culture at
Sony that could institutionalize and
reward the choices made by Sony execs ...

Is Sony the rogue in the entertaiment
and gaming industries? Willing to
attempt to gain a competitive advantage
unfairly?

Or; are they simply running-in-place and
trying to keep up with their competitors?
i.e. Unfortunate industry laggards that are
playing the game so poorly that they are
the first to be apprehended.

I have seen a few mentions that EMI and
Warner also license the XCP rootkit, but
they are not of a nature that I consider
fully trustworthy. Anyone have authoritative
data re: other possible XCP licensees?

-doug

You ain't seen nothin yet.

TCG/TCPA/Palladium are gonna lock down the PC pretty damn tight.

Your cellular will be no better. Heck, even your disk-on-key will have DRM capabilities (e.g., SanDisk's Gruvi).

All this (and more) made possible because the masses (1) have zero comprehension of the technology and its implications, and (2) are easily cowed by sufficiently grave men saying "national security" in appropriate baritones.

Dark ages, here we come...

Remember this wonderful C|Net quote: “The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.� It used to be in this article: http://news.com.com/Sony+CD+protection+sparks+security+concerns/2100-7355_3-5926657.html?tag=nefd.lede

The article now reads, "First 4 Internet, said the cloaking mechanism was not a risk. The company's team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said."

What happened here? I see no notice of the change on the web page. I'm contacting the author of the article to find out.

Bruce: This is an exelecent article, giving an overview of the situation, and some editorilizing, rather then just the latest blow and a summary of yesterday's article, like most news orginizations have been doing.

However, I have two questions: You mention that this has been going on since '04. Why did nobody notice before now? I assume you do not put yourself in with those you accuse of bending to corporate, rather then customer, interests. Also, why do you accuse Sony and First4Internet of criminal acts, and then call them "not a criminial orginization"?

"You mention that this has been going on since '04. Why did nobody notice before now? I assume you do not put yourself in with those you accuse of bending to corporate, rather then customer, interests."

It's a good question. Part of it is the CD transmission vector. Part of it is that the anti-virus companies don't look in those places. But a lot of it is that the anti-virus companies don't consider things that corporations do to be malware.

"Also, why do you accuse Sony and First4Internet of criminal acts, and then call them 'not a criminial orginization'?"

Because a criminal organization is one that is primarily devoted to crime, not an organization that happens to commit crime.

"Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit."
-That's nameservers, not computers.

http://www.doxpara.com/?q=sony

My first experience with Root kits cost me my job. When I saw the $...$ my heart jumped. Short story:

I worked doing tech support for a pc/printer company. Every once in a while we would get a call where the printer would stop talking to the pc and it would generate the same series of error messages. I found myself at a pawn shop several months later (helping a friend find tools stolen out of his garage) and bought a pc that just came in. What do you know....same error messages when I installed the driver! Some friends and I poked around on it for weeks and found a cloaked program hidden deep in the system. It logged several things like keystrokes, modem use, and files accessed on the system. It also tried to call an IP that seemed to exist sometimes and then disappear. Anyhow, we found that the virtual port that the printer driver created would get corrupted and lose connection with printer. We brought this up to some of the staff on campus. At first they were enthusiastic....and then not. I was fired a little over a week later for time clock manipulation. I guess being on time is manipulation. I still don't know what I found. For the last four years the IP still appears and then disappears in the Baltimore and Virginia areas....weird!!!

@anonymous: "That's nameservers, not computers."

Since each nameserver filled a request for at least one client machine behind it, that means that the number of nameservers puts a lower bound on the number of affected machines. In some cases, like, say, AOL's nameserver, the one nameserver could easily represent a million client machines.

You asked the question "What happens when the creators of malware collude with the very companies we hire to protect us from that malware"?

Substitute words like "makers of weapons", "purveyors of oil", etc, in the 1st half of your sentence, and replace "with the very companies we hire to protect us" with something like "with the government that we elect (and the intelligence agencies it has established) to protect us" in the second half of your sentence, and we have a pretty clear picture on what's been going on. Callous disregard for anything except self-interest.

Can't speak out against Sony - they buy 25,000 copies of our software. Plus we don't want anyone pirating our software either - I feel your pain, Sony.

This attitude is poisoning our country, with deep and not very pleasant future ramifications.

Excellent commentary, Mr.Schneier.

Well researched and thought out article. Now, we can only hope Symantic,
McAffee, Sony and Microsoft step up to the plate, be good corporate
citizens, and answer the call (HA!)

@ Daedala

> The article now reads, "First 4 Internet, said the cloaking mechanism was not a risk.
> The company's team has worked regularly with big antivirus companies to ensure the safety of its
> software, and to make sure it is not picked up as a virus, he said."

Wow, are you serious? There's a bad "feature" of the Internet... reactive version control. C|Net should take some pretty severe criticism for that one, I wonder how much of their ad revenue comes from Symantec?

@ Daedela: "Remember this wonderful C|Net quote: 'The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.'"

Yes, I do. Wow! Gone just like that ...

I'm reminded of those old Soviet photographs from which various embarrassing figures would be silently airbrushed out.

Just how deep do the ramifications of all this go?

@Pat

Quite serious. Ask the Google Cache.

http://www.google.com/search?hl=en&lr=&rls=GGLG%2CGGLG%3A2005-38%2CGGLG%3Aen&q=%22creator+of+the+copy-protection+software%22+symantec

The para may have been changed for a legitimate reason, but there's no notice on the page about any corrections.

--
What I say does not represent the views of my employers, my friends, my cats, or myself.

@ Daedala and Pat Cahalan

> Wow, are you serious?

Yes, He is serious, Google Cache shows the old article version.

http://64.233.187.104/search?q=cache:NR0uu92bowcJ:news.com.com/Sony%2BCD%2Bprotection%2Bsparks%2Bsecurity%2Bconcerns/2100-7355_3-5926657.html

Ops! I was too slow.

"Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions."

According to an entry in their weblog poste on November 2nd, 2005 which was titled "Please stop flaming us" (http://www.f-secure.com/weblog/archives/archive-112005.html#00000694) F-Secure "started working on this case on 30th of September when a user of our F-Secure BlackLight rootkit detector started discovering these files on his system and contacted us". They "were in the middle of discussions with Sony BMG and First 4 Internet when Mark [Russinovich] broke the news on Monday."

It would be rather nice to know the details of those "discussions".

By the way, F-Secure "didn't go public with the info right away as [they] were worried with the implications (especially with the info on how virus writers can use this to hide files which have names starting with "$sys$")." How should we feel about that line of reasoning?

The senior editors at cNet can be contacted via these email addresses: jais@cnet.com, sard@cnet.com, Jon.Skillings@cnet.com (pulled from the news.com.com "contact us" page). I advise that people concerned about this sort of editorial revisionism contact them and let them know.

Thanks, Bruce, that was an excellent article and a service to the community.

I highly suggest everyone to go to First 4 Internet web site and read their press releases. Very interesting information.

Excellent article! For me, this raises the question: what's the difference today between organized crime and organizations acting criminally? :) As governments become increasingly challenged to enforce controls due to interconnectivity, who will protect the people?

re:"It's unlikely that this Sony rootkit is the only example of a media company using this technology."

I bought a Blue Note Jazz (EMI) disk that also had copy protection software. When I inserted the CD on my Windows XP machine, a dialog box opened, explaining that new software had to be installed in order to play the CD. I clicked "no" and the CD (is it really a CD when it does this?) was apparently accessed normally. I later did the simplistic check for the Sony rootkit - ensured that $sys$xxx.txt did not disappear - and it appears I was not infected by Sony's DRM. If EMI is not associated with Sony, then I think they are another example of a media company playing with fire.

What doesn't seem to be getting much comment is the relationship between the DMCA and rootkit removal. I see a very interesting legal challenge here, irrespective of any EULA. Thots?

Bruce,
the next twist in the saga is even more bizarre: It seems that Sony got some of their code for the rootkit from open source, in particular from Jon Johansen ("DVD-Jon"). (See http://nanocrew.net/2005/11/16/sony-drm-rootkit-saga/ for some links and background.)

If this holds true, and Sony's use of this is a violation of the open source copyright, then we can have the deeply ironic situation that DVD-Jon can sue a music company for intellectual property violation. Talk about turning the tables...

Now enter Blu-ray and it's copy protection scheme. How does it work? ...and how will Sony react?

Brilliant! I wonder why there’s no public backlash against companies who actually make this `legalized malware’. I realize that Jim Bell’s ideas (assassination politics) are just that – ideas – but surely someone must hate these guys enough to do something against them in real life!

@ Paul

> By the way, F-Secure "didn't go public with the info right away as [they] were worried with the implications (especially
> with the info on how virus writers can use this to hide files which have names starting with "$sys$")." How should we
> feel about that line of reasoning?

Makes sense, that's reasonable behavior when discovering something fishy that a vendor does... give the vendor a chance to fix it.

Of course, the problem with "full-disclosure, just not right away" policies is that there's no guarantee that the vendor will fix anything without an outcry (Bruce has brought this up before).

The correct thing for F-Secure to do would have been to send an alert to CERT, rather than engage in "discussions" with Sony.

Subject: editorial revisionism

From: Pat Cahalan
Date: Thu, 17 Nov 2005 12:25:16 -0800
To: jais@cnet.com, sard@cnet.com, Jon.Skillings@cnet.com

Gentlemen:

An article posted on your web site (http://news.com.com/Sony+CD+protection+sparks+security+concerns/2100-7355_3-5926657.html?tag=nefd.lede) has been edited without noting a revision since the Sony DRM/Rootkit story broke.

See here for details:

http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html

Specifically, this line:

“The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.�

Was changed to this line:

"First 4 Internet, said the cloaking mechanism was not a risk. The company's team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said."

Modifying the posted article, as opposed to posting a revision which explains this change, smacks of irresponsible news reporting, and leads at least one reader to wonder how much of your advertising revenue comes from Symantec, and whether this had an affect in the decision to modify this article.

An explanation to the community of CNET readers would be in order.

Hello Bruce,

Long time reader, first time writer...

Your critique of other security firms begs the question: Did Counterpane detect Sony's software "calling home" from any of its customers' systems?

@ William

I haven't checked on the "calling home" details myself, but the original post on Mark's sysinternals blog said this:

"Btw, I checked with a sniffer. The DRM system connects to connected.sonymusic.com and www.sonymusic.com and tells them an id number, apparently identifying the album. So, sony knows your ip address and what you listen to. "

If it's port 80 traffic, it's unlikely to get noticed, I'd imagine.

edit to the last post:

If it's port 80 traffic to a commercial (ie, supposedly well-known and benign) web site, it's unlikely to get noticed.

I imagine Counterpane's traffic analysis would notice lots of port 80 traffic to, for example, a web server running off of an IP with no reverse lookup or a dhcp assigned address or something of that nature.

But this would look as "normal" as traffic to, say, www.espn.com...

"That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst."

That's a pretty strong statement, Bruce, given that we didn't hear anything out of Counterpane either. While the CD vector creates boundary-passing problems, apparently there was no detection of the phone-home behavior that was happening on their monitored customer's network. Does the failure of your Sentry devices to detect that recurring contact constitute 'incompetence'?

I don't approve of Sony's actions but the reality is that they distributed a piece of software that took advantage of a design decision in Windows, patching the system calls. The various virus detectors didn't notify anyone of this but should they have? To some extent we have to accept that they serve in a reactionary role - there are things that perfectly legitimate software does (send mail, for example) that is unacceptable when something we consider a virus or worm does it. Do they therefor alert the user every time such an event happens?

I suspect the average user wouldn't have the slightest idea of the import of that kind of notice. Personally I used Zone Alarm for all of 1 hour because it alerted me to so many things that were legitimate that its chance of warning me of something important was almost nil. How do the virus scanner companies watch for this kind of thing (before any indication that a malicious piece of software that does it has been identified) and alert the user without being more false-positives than can be tolerated?

@ Don

> How do the virus scanner companies watch for this kind of thing (before any indication that a malicious piece of
> software that does it has been identified) and alert the user without being more false-positives than
> can be tolerated?

Virus scanners used to just run on code fingerprints, but since viruses are getting trickier at embedding themselves (you could write a whole dissertation on virus cloaking methods), most virus scanners have a "suspicious behavior" scanning method as well.

Having processes running that aren't reported to the operating system, regardless of where they come from, seems to be a pretty giant red flag.

Besides, even if you assume that this wasn't a coding problem, there are references here to First4Internet talking to "big anti-virus companies" before the software was deployed, which is *really* the issue -> whether or not A-V companies were technically capable of catching the virus doesn't matter... they already knew about this dicey bit of software and chose to ignore it, to the detriment of their customer base.

See my last post about port 80 traffic to a fairly 'legitimate' web site as to why Counterpane may not have noticed it.

I don't really understand the comment about Microsoft having "sold out its users"? Regardless of you politics on the matter, the fact remains that content owners have, under US and International law, the right to control the distribution of intellectual property which they own. You might not like it but that is the way it is. What Sony did was wrong. Way wrong. They secretly compromised user’s computers. Why they did it, however, is another matter.

What is needed is a way for content owners to control how many times their content can be backed up and how they can allow fair use while at the same time disallowing the rampant piracy that happens today. Microsoft’s DRM technology facilitates all of this as does that being touted by its competitors

This is not a sell-out. This technology allows me to purchase music 1 song at a time without paying for the other 14 pieces of crap on a CD, allows artists to be paid, and prevents me from going beyond what is considered fair use.

DRM is not a matter of putting one's own business interests before those of one’s customers, it is a matter of balancing the interests of all parties involved in the creation, production, distribution and consumption of intellectual property.

I don't fault Counterpane for not finding it, I merely brought it up to indicate that if we're prepared to use a word like 'incompetence' with regard to their not noticing possibly legitimate system changes (vs ethical lapses like not blowing the whistle just because someone is big money) then I think we need to be prepared to apply it to not monitoring port 80 traffic for consistent destinations & strings, at least till they are whitelisted.

After all, for someone to connect to cnn.com and GET / repeatedly is expected. To connect to any host and repeatedly do a GET with the same multiple parameters and a non-standard user-agent is more unlikely.

It's easy to engage in Monday-morning quarterbacking on this and thinking about it perhaps a reasonable security measure for finding this kind of phoning-home would be to monitor the user-agents coming out of any machine and one-time flag when it changes. Yeah, upgrades from Firefox 1.1 to 1.2 would likely give you a burp but you could add a whitelist of -progressions- as they arrived too.

With the advantage of that hindsight, of course.

Dave says: and prevents me from going beyond what is considered fair use

Here's the problem Dave: Fair Use isn't codified into law. So "what is considered" is REALLLLL different depending on who you ask. Perhaps not surprisingly, Sony consideres it a lot more tightly than I do.

Is there a good open-source anti-malware package? If not, maybe there should be. It seems Symantec, etc can not be trusted.

Don says: "Fair Use isn't codified into law"

I think that there is a significant amount of legal precedent that does define fair use. We know, for example, that’s its ok to record TV shown on DVRs, we can make backup copies of software, I think (at least in France) its even ok to backup Video DVDs.

If the definitions are not tight enough, they will become so as cases are brought before the courts.

Dave, Microsoft (and other security software vendors) sell out their users when they don't fight malware that comes from a big commercial entity like Sony.

Regarding your other point, piracy is a smokescreen for the real reasons for DRM: killing fair use (time shifting, quoting, etc...), killing the right of re-sale, and vendor lock-in (once you've bought a bunch of DRMed iTunes songs, you're not likely to buy anything else but Apple hardware that uses that DRM.)

It looks like we can't trust commercial security software vendors anymore.

I wonder why Mark Russinovich wasn't prosecuted under the DMCA for the thought crime of talking about how to defeat a DRM technology.

@ Dave

> I don't fault Counterpane for not finding it, I merely brought it up to indicate that if we're
> prepared to use a word like 'incompetence' with regard to their not noticing possibly
> legitimate system changes then I think we need to be prepared to apply it to not monitoring
> port 80 traffic for consistent destinations & strings, at least till they are whitelisted.

Fair enough.

NathanB

How does anything you mentioned "kill fair use"?

If you don't like the conditions a vendor puts on the his/her product, nobody is forcing you to buy it. Now if they hide these conditions.... Thats probably an ethical problem.

As for malware: Microsoft does attempt to fight it. Nothing is perfect however and malicious coders will always manage to get 1 leg up on their targets, even if only for a short time. I agree though that MSFTs inability to detect and prevent root kits is a real hole in their security model as the vast majority of users run as Admin on their machines.

"Is there a good open-source anti-malware package? If not, maybe there should be. It seems Symantec, etc can not be trusted."

Google ClamAV. :)

It's not that the antivirus companies somehow didn't notice because it was delivered on CDs.

According to a news.com story,
"The company's [First 4 Internet] team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said.".

"Remember this wonderful C|Net quote: 'The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.' It used to be in this article: http://news.com.com/Sony+CD+protection+sparks+security+concerns/2100-7355_3-5926657.html?tag=nefd.lede

"The article now reads, 'First 4 Internet, said the cloaking mechanism was not a risk. The company's team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said.'

"What happened here? I see no notice of the change on the web page. I'm contacting the author of the article to find out."

I think I had a hand in that. I originally that that quote in my Wired piece. My editor at Wired knew the author of that quotes piece, and asked him about it. It's a big deal, after all, as it is evidence of collusion. The author backpedaled about the quote, and I guess he decided to rewrite history and his story.

"It seems that Sony got some of their code for the rootkit from open source, in particular from Jon Johansen ("DVD-Jon"). (See http://nanocrew.net/2005/11/16/sony-drm-rootkit-saga/ for some links and background.)"

I need some independent confirmation of this. I don't think we know for sure yet.

"Your critique of other security firms begs the question: Did Counterpane detect Sony's software 'calling home' from any of its customers' systems?"

We did not. We monitor security products, so if the products don't flag something we don't see it.

"I don't really understand the comment about Microsoft having 'sold out its users'? Regardless of you politics on the matter, the fact remains that content owners have, under US and International law, the right to control the distribution of intellectual property which they own."

Microsoft is not a content owner. I expect my operating system vendor to be looking out for my best interests, and not for the best interests of content owners.

Or do you really not mind if the company who sells you a lock for your home door also gives a copy of the key to media companies, so they can more easily control the distribution of their intellectual property?

Well, I was going to try and add something crisp and insightful, but then I read the Reg's latest update on Sony's PR plight and I just can't stop laughing...

http://www.theregister.co.uk/2005/11/17/sony_usb_offer/

@Bruce

"I think I had a hand in that. I originally that that quote in my Wired piece. My editor at Wired knew the author of that quotes piece, and asked him about it. It's a big deal, after all, as it is evidence of collusion. The author backpedaled about the quote, and I guess he decided to rewrite history and his story."

I had such a nice conspiracy theory going, too. Damn.

That makes sense, though; he may have not been thinking, and meant the "such as Symantec" as an example of a "big antivirus companies" rather than really meaning Symantec, specifically, was involved. I've done similarly sloppy things. Still, the lack of a revision notice is uncool.

How many "big antivirus companies" are there?

Ok, just one little question. Et tu Trend Micro?

According to all the case studies and press releases Sony uses Trend Micro internally for anti-malware, so it makes me wonder when/if Trend started flagging the rootkit?

@ Daedela

It's a really *big* industry, if that's what you're asking:

http://antivirus.about.com/cs/antivirusvendors/

I just finished reading your article on Wired (http://www.wired.com/ news/privacy/0,1848,69601,00.html). Of all the egregious behavior by
the many parties you mention, Sony & Microsoft and Security vendors
have a lot of explaining to do.

But in the end, Mac owners like me have less explaining to do (or at
least an easier time explaining) now, about why we own Apple products.

I think it's ironic that Sony will now have to contend with trust
issues, in order to sell music, PCs, and ... the Walkman (any of
which apparently could ship with bootlegged spyware).

Anyway, good stuff ... looking forward to my first issue of Crypto-Gram.

This is a wake up call :

Switch to a real operating system like Linux, BSD, etc. or continue to fund the AV/Closed source OS mafias of the world.

@Davi

There are a lot of anti-malware vendors, but only a few really big players. Symantec, McAfee, Trend, maybe Sophos, maybe MS.... Anyone else?

Trend, BTW, has been resoundingly silent. XCP isn't on their website at all.

--
What I say does not represent the views of my employers, my friends, my cats, or myself.

Update:

C|Net has posted a revision notice on their article:

http://news.com.com/Sony+CD+protection+sparks+security+concerns/2100-7355_3-5926657.html?tag=nefd.lede

Microsoft is a player platform (Windows) and a distribution mechanism (MSN Music). The platform and distribution mechanisms allow artists, music companies and yes, Microsoft to get a cut of the 99 cents/tune I pay while limiting my ability to drop the songs onto a P2P network (yes, I know that this is easy to circumvent).

Like I said, Microsoft has to balance the interests of all parties involved in digital media distribution and consumption because at the end of the day production and distribution costs money and there should be a way to make a profit on it. As a consumer, nobody is forcing me to buy it. I’ve just discovered pod friendly podcasting so it is unlikely I’ll ever buy music from the likes of Sony again.

As for buying locks, it’s up to me whether I accept what the lock vendor is doing. As long as I understand what’s going on up front, I can make a decision to buy, to buy elsewhere or to punt. If I choose to click through the EULA, who’s at fault?

Some of you have noted a change in the original Sony rootkit story that I published at Cnet News.com on Nov. 1. The story was initially changed to clarify what I thought was my own poorly worded sentence. After later following up with Symantec, we learned that the company had worked with First 4 Internet on imaging software, but *not* on the rootkit issue. Hence the correction now posted on the story. Thank you for close reading, and for keeping us attuned to the details.

Hey Bruce, why haven't you been as vocal about Intel and the operating system vendors hard-wiring this kind of functionality into their upcoming products?

August 02, 2005:
"Remote Attestation" and content access monopolies
http://itheresies.blogspot.com/2005_08_01_itheresies_archive.html

"Hollywood and the recording industry hold an effective monopoly on a large section of popular content. Both Microsoft and Apple are now offering the ability to content providers to demand that users must use unmodified systems to view said content. It locks you out of parts of your system that will inevitably be abused by third parties wanting to abuse you."

@ Daedela

Ok. Define big.

You have to weed through the number licensed agents (revenues), number of installed agents (adoption), number of active agents (live feed/information base), and so on, not to mention the deployment on edge and in-line devices, the number of staff working on code and detection, as well as activity in the malware community and marketing/news.

Take one ISP, for example, who selects vendor X over vendor Y (only two choices provided as OEM), thus providing in-line protection to 3 million users. Does that make vendor X a big player? I can tell you this, they're not on your list.

I am surprised you did not include f-secure, as I find them to be one of the bigger authorities and a useful/timely source on the subject of malware (as I noted in the log on the 4th and 14th):
http://www.schneier.com/blog/archives/2005/11/sony_secretly_i_1.html#c24154
http://www.schneier.com/blog/archives/2005/11/more_on_sonys_d.html#c25164

I don't know for certain yet, but I suspect Trend hasn't said much, as I pointed out above, because Sony has (had?) a huge contract with them.

If you search for the word "Sony" on the TrendMicro site (http://www.trendmicro.com/search/google/en-us/results.asp?q=sony), this is the top hit:

http://www.trendmicro.com/NR/rdonlyres/2CBD29D0-55E1-425F-9A88-6533A8A8C6FC/6501/CS20SONY021227.pdf

"SONY UK CHOOSES TREND MICRO TO PROTECT ITS MESSAGING ENVIRONMENT AGAINST COMPUTER VIRUSES"

Here's a related quote from Nov 3rd:

http://www.newsfactor.com/news/Sony-Criticized-on-Rootkit-for-Music-CDs/story.xhtml?story_id=011000CQOZKG

"While acknowledging the potential risks involved with the Sony rootkit, David Perry, global director of education with Trend Micro Latest News about Trend Micro, said that the practical threat is very small. 'The only time when we see people use these vulnerability is when [the tool] reaches a substantial percentage of the public,' Perry said. 'As of yet this has a very small impact.'"

Hmmm, define small.

Thank you for your fantastic submission to Wired News today! We need more coverage for this extremely important issue. (Will Walt Mossberg cover it?)

PO'ed wrote: "Any big-label released music I like, I *will* pirate and I *will* file-share."

Unfortunately, this thievery is the reason that Sony produced these malware-infected CD's in the first place.
If people PAID for their music instead of just stealing it, we wouldn't have this problem

Another issue is the gosh-awfull Digital Millennium Copyright Act of 1998. You may recall that it makes it a crime to even try to circumvent copyright protection. That doesn't mean Sony has the right to put malicious (our definition - not theirs (see tort law)) code on our computer, but it MIGHT make it illegal for Symantec to try to intercept it and it is definitely illegal to try to remove it once it's there. The DMCA is a bad dude. Needs reworking, bad.

John Borland now says:

"Some of you have noted a change in the original Sony rootkit story that I published at Cnet News.com on Nov. 1. The story was initially changed to clarify what I thought was my own poorly worded sentence. After later following up with Symantec, we learned that the company had worked with First 4 Internet on imaging software, but *not* on the rootkit issue."

Yes, but the fact remains: What did Matthew Gilliat-Smith say? Borland was supposed to be quoting Gilliat-Smith. Did Gilliat-Smith specifically mention Symantec by name? The "answer" from Borland dodges that one.

If Gilliat-Smith did not say that, then why did Borland write it? That would be most extraordinary.

But if that was what was said then it should have stood for the record not been "airbrushed out". Borland could have added an extra sentence to say that he had followed this up with Symantec, and they had denied it - as he has now here (when it's become embarrassing not to). But he didn't. He silently amended it.

I shall read any of his journalism with the deepest suspicion now.

Thans for pulling together the Sony/xcp/Windows saga.

What I want to know now is precisely what the Sony/Sunncomm Mac software is and what it does, and I want any audio disc which asks me to install any such software to give me a clear description of what it is and what it does (eg does it create data files and if so where?), and provide a simple and complete uninstaller. I want to know if it has a "phone home" capacity (in which case it's a spyware), whether it only runs when I insert an audio disc, or whether it's sitting there burning cycles all the time (in which case I want at least to have given explicit agreement). Does it affect all the content on the disc, or only "extra" or "additional" tracks? I want to know explicitly how severely it restricts my copying and media-shifting rights. Is a kernel extension preferable to a rootkit in any significant way?

At the very least there is an honesty in labelling issue here, which may well make the EULA moot: I can only give my consent to what is explained to me.

We are in danger (and I am not a natural conspiracy theorist) of tacitly endorsing the Sunncomm approach as an acceptable form of content control, in the feeding frenzy over the almost unbelievably incompetent xcp version, and the relative smugness of Mac users over their relative immunity. But it's only relative. Is it designed to take the heat, and smuggle through an almost equally objectionable, if technically less crass, variety.

So let's get to the bottom of Sony/Sunncomm/Mac as well, and work out a response that covers what is objectionable there as well.

@HonestJoe
> Unfortunately, this thievery is the reason that Sony produced
> these malware-infected CD's in the first place.
> If people PAID for their music instead of just stealing
> it, we wouldn't have this problem

I think I detailed several ways in which I am more than willing to pay for music. I will buy MP3s directly off artists' web sites. I will attend live concerts, for which I will pay for tickets. What I will NOT do any longer is give money to record labels who add no value, but steal from everyone in sight (artists included). I consider their actions (culminating in this one) to make it "open season" on their sorry asses.

TomCS: "I want any audio disc which asks me to install any such software to give me a clear description of what it is and what it does"

Well, there's your fundamental mistake right there. There is no conceivable honest reason why an audio (or video) disc should ask you to install anything at all.

(Or at least anything more specific than "something that can play this fornat". Of course any format that requires a specific application to play it should be considered extremely suspect right from the start.)

Ross Smith

You know that and I know that. But not even all Mac users know that, and I continue to see this as in effect a social engineering virus which is likely to fool a sizeable proportion of those ordinary folk who use Macs more as home entertainment tools than as computers. I want proper labelling, and ideally retailers to have to sell these crippled audio discs in separate racks from compliant CDs.

Question, referring to your criticism of AV companies on their deafening silence and failure to respond suitably to this "infection"; while it's understandable that we'd want AV companies to prevent our computers from being rooted like this by Sony's invasive DRM, wouldn't any company that that actively prevented this rootkit from functioning be liable under the DMCA for interfering or circumventing a copyright protection mechanism, no matter how flawed/broken/evil? Just a thought...

Certainly SONY should be at the forefront for making such a poor choice of a software
vendor to protect their music and I believe they should bear the expense of cleaning up
the mess. What about First4Internet though? They built this package. They sell it for the
express purpose of content protection. SONY was probably not even aware of the underlying
(rootkit like) method employed (not an exuse anyway, they should have been aware).

First4Internet is responsible designing, building and selling a hazardous software product
that has caused and will continue to cause real financial losses for millions of PC users.
They must be held accountable as well.
~GeoD

@Davi

All I meant by "big" was "size of corporation." I suspect that's what the article meant as well. F-Secure is fantastic, but not terribly big.

Sony will not provide genuine Microsoft Windows CDs with their computers for the purposes of recovery and reinstall.

I smell a really big rodent in the room here.

The real purpose of DRM is not to prevent piracy. There is always the analog hole. All it takes is for ONE competent person with good audio equipment to make the conversion and it can spread throughout the world in minutes. It's the spreading that needs to be stopped in order to prevent the piracy. DRM does nothing to stop the spreading.

No. The real purpose of DRM is to circumvent the existing laws which allow personal recordings. To stop you from making a copy of your best friends CD - something that is legal in most countries, I believe. This whole Sony DRM rootkit fiasco was perpetrated in order to steal away your rights. Not to stop piracy.

The US has the DMCA which makes it illegal to circumvent technology. Too bad there isn't a law making it illegal to use technology to circumvent the law.

I speculate that there's more and less that meets the eye. "Any software that implements digital rights management (DRM), no matter how terrible it is, is protected by the Digital Millennium Copyright Act (DMCA). Any attempt to circumvent that software, remove it, or otherwise tamper with the software can result in horrific penalties." Perhaps that's why the companies didn't remove Sony's rootkit. Full text on my blog at http://www.PebbleAndAvalanche.com/weblog.

Bruce, you and Mark RULE!!!! :)
Thank you for your excellent writeup. :)

"Any attempt to circumvent that software, remove it, or otherwise tamper with the software can result in horrific penalties"

But Sony would lose any DMCA case because their rootkit could, in principle, compromise copyrighted material on MY PC--that is, someone could crack into my home movies. I think it would be a legal stalemate.

Thank you for writing this. In a way it's proof that the big companies won't take the world over, whilst ever there are people like you out there.

Dave, in an 11.17.05 post, said:

>> Regardless of you politics on the matter, the fact remains that content owners have, under US and International law, the right to control the distribution of intellectual property which they own.

This is incorrect as to the history of intellectual property infringement law (including copyright law), at least in the US. We have undergone this cycle of paranoia on the part of large distributors (almost never creators of the content, though; Metallica loudly excepted) for quite a while. Something quite similar happened with piano rolls in the late 19th century. And again with radio beginning in the 20's. Congress finally intervened and provided for an automatic and involuntary license (payment via ASCAP or BMI; there are similar arrangements elsewhere). And again with magnetic audio tape just after WWII, and again with magnetic video tape about 30 years later. In the US, the Supremes settled that in the 'Betamax case'. And is happening again in the last decade or so regarding digital media. Recall that the digital audio tape died stillborn -- in my view from copyright owner opposition, which was strenuous. See Professor Lawrence Lessig's book on copyright history (available on line); the "Conger" was an example of copyright holder overreach in an earlier time.

In fact, all a copyright owner (however that ownership was obtained from the creator) has only the right to license or not license, and sometimes not even that (see Congressionally mandated revisions in such rights as noted above). And the right to appeal to the courts for assistance in the case of copying infringement, just as in any other damages case. Nothing special about copyright holders' recourse to recover or prevent damages. No content producer has the well-established right to interfere with existing rights (eg, fair use or fair dealing, both very well extablished for more than a century both in statue in some places and in precedent in others), or to the use of one's computer for other purposes than music or video or whatever the copryright holder is concerned about. It is recoverable damage to the interests of a computer owner if that computer is so altered in its operation as to make it more vulnerable to some third party in (eg, Bulgaria or the Phillipines or ...). Consider the case of someone snipping the phone line to your private security system, and doing nothing more. Your home is invaded shortly thereafter with no alert phoned to the security company or police or even relative. The snipper has done committed a kind of vandalism more serious, dangerous, than egging a front door. If caught, the snipper could be charged for the snipping and the resultant effects (ie, the home invasion).

That Sony did this secretly is relevant, as nearly as I can tell, only in that it shows evidence of intent to commit something which would not withstand the light of day and which was therefore somewhat carefully concealed. The possibility of a claim of innocent mistake as a defense would seem to have been chucked out the window by that action.

>>What is needed is a way for content owners to control how many times their content can be backed up and how they can allow fair use while at the same time disallowing the rampant piracy that happens today.

The economically significant piracy cannot be stopped by any sort of DRM for which there has been any public knowledge. It's done in large modern plants in remote corners of the world which can turn out thousands of copies of optical media an hour. No DRM measure to date has even slowed them down. All known DRM attempts, so far, have been unanimously poorly engineered and incompetent attempts to to do something -- whether you agree with the purpose or not. This has been Bozo quality research and development. The incompetence has been at minimum cryptographic (lawyers and marketing suits seem incapable of any clear crypto thinking), and socially in that these companies and associations have been attacking their customers with a very ham-handed legal strategy. Suing 13-year old kids for hundreds of thousands of dollars is not a way to win friends, retain customer good will, or evade the slashdot class horselaugh. Anyone remember DIVX? It was hald-owned by an LA law firm. They deserved their loss because of their belief in a crock system design, regardless of the hostility to the customer (They're all criminals! We must stop them now!) embedded in the whole thing. Not much improvement aomongst these clueless counselors and suits years down the road.

More legally significant may be that, to the limited extent they work at all (preventing misuse as defined by the suits and attorneys), these DRM measures forcibly interfere, on a programmed and inflexible basis, with existing rights. Fair use allows for personal copies for backup purposes, for transfer to other media of the purchased content (ie, to an 8-track for playback in the car), and so on. No DRM thus far recognizes any of this. Further, even the copyright owners can shoot him/theirself in the foot as long as DRM measures are in use. Thus, I contract with Sony to use their copyrighted content in my laser broadcasts to Jupiter's moons (for the benefit of the folks under the ice on Europa, of course), but the DRM knows nothing about this right to use (for which I've paid and have now discovered, in essence, that I've been cheated by another of Sony's divisions, one with too many suits and lawyers). Lawsuit follows.

>This [technology, ed] is not a sell-out.

Well that depends on whose ox is being gored. Microsoft's Vista is likely to seriously interfere with my use of my computer because of the Palladiumamic surpervision built into its shriveled, if Trusted, heart.

I've been sold out, and I sure as shootin' won't be exposing myself to any further rootkits from Sony. Someone just lost a customer, and I'll be informing all their artists of my decision as well. Microsoft gets license fees for its DRM software from various sources, sells it to me, but because I bouthg only one license and don't have a Redmond resident representative, MS won't listen much to me. Sold out again, because MS is collaborating with Sony (in this example) to limit my right to use the content I've paid for down at the store. I've long ago converted to Linux (SuSE distro) so the crashing shards of Windows are effectively behind me. I do have a machine which has no connection to the Internet for Windows software I have to use.

This is all a mess, most of what's being actively done (publicly, or sneakily. or by buying legislation) is pernicious from any sensible public policy perspective. The extension of US copyright term to protect the Mouse is a particularly gross example of pandering to large industrial interests. Reading Mark Twain on The Gilded Age will seem quite cheekily familiar. And he's funny, though what he was excoriating wasn't then and isn't now.

>>DRM is not a matter of putting one's own business interests before those of one’s customers, it is a matter of balancing the interests of all parties involved in the creation, production, distribution and consumption of intellectual property.

It is exactly that, as DRM as so far implemented in many an (incompetent) instance has shown no recognition of existing purchasers' interests or rights.

The balance is entirely on the side of large copyright owners who see a large business at risk and so are willing to arrange for legislation, invent deranged kinds of DRM, impose them without warning or permission on customer equipment that is used for many other things than music or video playing, most of them far more valuable to their owners than either music or video, all at the behest of marketing suits and legal beagles who simply don't have a clew (imagine Peter Sellers/Clouseau here -- the match in lack of competence is quite extraordinary).

Sorry Dave, you're multi-dimensionally wrong on this.

WW

//But Sony would lose any DMCA case because their rootkit could, in principle, compromise copyrighted material on MY PC--that is, someone could crack into my home movies. I think it would be a legal stalemate.//

More significantly, Sony's software directly infringes on some other people's copyrights (the authors of some of the libraries used), therefore copyright law would seem to allow those authors to not only permit, but demand its removal.

@geoD: "SONY was probably not even aware of the underlying (rootkit like) method employed (...)."

They were probably not aware, and set up servers as connected.sonymusic.com and www.sonymusic.com, listening for incoming messages, by accident?

Hard to believe.

btw.: The second part of the name of the corporation "Sony BMG" means 'Bertelsmann Media Group". The Bertelsmann-Group is a big player in the German newspaper and television-broadcasting market.
I searched their news-site on 'stern', a weekly news-and-stories - magazine for 'Sony', for 'rootkit' and 'sony bmg' without success.
One hit came up for 'xcp', which was linked to 'Financial Times Deutschland', another product of their house.
Other news-sites show much more news to this topic, and make it more easy to find them.

Concentration of big, global companies is another problem we can study on this case.

Would we believe vulnerability-news, published by a competitor?

Others have noted this already, but it's worth repeating: one big reason that the security companies
have been so tepid in their response, and that they've tended to limit their attention to the "cloaking"
half of Sony's rootkit, is almost certainly: the DMCA. This affair therefore demonstrates yet another bad
side (yet another unintended consequence) of that misguided piece of legislation.

Hi Bruce,

If you want evidence of Sony BMG & F4I stealing LAME code, check out this site:
http://hack.fi/~muzzy/sony-drm/
and
http://www.the-interweb.com/serendipity/index.php?/archives/54-Breakthrough-after-breakthrough-in-the-F4I-case.html

The evidence is indisputable. I reckon if you run some debugger on the process you can step through those code.

Funny to hear some reader advocating DRM as a way to protect IP. The only safe way to protect your IP is not to let it out of your sight or closet.

It is part and parcel of the world. All these so called legislation and digital laws are only placing consumers at a disadvantage and unfair positions. I am so disappointed the so called consumer protection agency are not there to get a fairer and more consumer-friendly EULA. Check out SongBMG to see what I mean.

Hi Bruce,

Since this is a Blog by a security expert, I would like to bring up a number of security related issues highlighted by this seedy affair by SonyBMG.

1) While Windows 2000+ has a fairly strong security system (I am not saying perfect nor starting a religious war on OS), but so many have chosen to run with the security system turned off using Administrator Account. With this account, programs can write anything or destroying anything, including system stuff.

There are strong evidence presented in www.sysinternals.com/blog that had these users run using the 'Least Privilege' account principle, they would have been alerted and questioned why playing a sound on a CD needing admin rights?

So many of my fellow developers are running with the security off:-(

2) Since they've turned off the security as in 1), they then loaded up their machine with all these tools, anti-virus, anti-hack, etc. to consume valuable CPU and memory resources only to find that they are either in collusion with the attacker or the attack was not spectacular to be labelled as such.

I have encountered virus attacks days before the AV vendors have sent out alerts and updates. But I managed to defeat them. BTW I do not run AV continuously - only on demand.

3) It is really silly on Microsoft's part to support this thing called Autorun. Long ago when the only portable media was floppy disk, the spreading of virus via the floppy disk triggered by booting from it was well known and everyone knew not to leave floppy disk in the drive to boot.

It seems this lesson has been lost in the newer generation.

Had this feature not available, the attacks used by XCP and SonyBMG's other DRM by SunnComm would have no effect and you can simply rip their tracks out with no hindrance. Incidentally, SunnCom's DRM left rubbish around even if you decline to accept the EULA. To me this is a fair game to reverse engine what they gave us free;-)

I have always either hold down the shift key when I pop in the CD/DVD for those machines that are not mine or have all my machines' autorun perminently turned off.

Hopefully after this seedy affair, everyone become smarter, wiser, more security alert, and less trusting of any company, particularly SonyBMG.

In Digital world, trust nobody and treat every installation as hostile act is my motto.

If you like a good conspiracy theory, consider this: in Australia, the largest media organisations are without exception either partners of, or (in the case of News Corporation) participants in "big content".

And in Austraila, with only two exception (SmartHouse Magazine,
www.smarthouse.com.au; and the national broadcaster, ABC.net.au), the first reaction to the rootkit story was to shut up. In the first five days of the story, it got nothing at all from local writers.

Here are the first stories that weren't syndicated links in Australia:
http://www.smarthouse.com.au/Computing/Platforms/?article=/Computing/Platforms/News/W4U4R7R2
http://www.smartofficenews.com.au/Computing/Software?article=/Computing/Software/News/S4N3H4P2

These are dated November 1 and November 2, respectively.

The Australian didn't notice the story until much later: November 8; and even then, its attention to the story was in the form of a Sony PR-driven piece from a newswire.
http://australianit.news.com.au/articles/0,7204,17166754%5E15322%5E%5Enbv%5E15306,00.html

Yet Sony plus copy-protection is a Real Story in Australia: it has been for ages, because Sony ran, and lost, a court case trying to ban modchips in Australia.

I suppose it would be redundant to add that Sony is a major advertiser in the Australian market?

As a canadian, I am protected against privacy invasions as described in the Personal Information Protection and Electronic Documents Act (PIPEDA)

I have since visited sony.ca and made an official request and made and official request, as I am allowed to do under PIPEDA, for all information sony has collected on me which could identify me (namely during my short visit on their website). This could include my IP address, resources I visited with said IP address and possible other HTTP Headers typically sent with my browser.

I encourage all canadians to do the same thing:
http://www.privcom.gc.ca/information/02_05_d_08_e.asp

It's possible that if you've used other sony products, such as their online games as well as this rootkit, you could also ask them for information with respect to that.

Bruce's comments are an eye-opening commentary on the unthinking abuse of our rights by a large corporation. Im shocked that Sony executives havent been hauled up to Capitol Hill to explain their actions in front of a Senate Investigative Panel. If this code had leaked out of Sony so that the virus writers were ready when it was first released, the effect would have been devastating and no one would have known how they did it. Where's the spooks? We're talking about a potential National Security breach, thousands of goverment computers are "infected" not to mention government employees home computers. The only blessing is that the crackers were seemingly caught napping on this.
We all have Sony to thank for giving virus and malware writers some new tools and ideas to attack us with. It seems to me that this story will get much worse, I believe crackers will "go to school" on this rootkit and it's abilities and begin to produce their own with sweeping enhancements in concealment, communication and non-removability. Piggybacking exploits onto the Sony rootkit is only the start. While rootkits have slowly increased in the wild recently, this new flap should get "rootkits" noticed in a big way. If I were organized crime, I believe I would quietly start slipping this stuff onto black market audio and data cd's etc and start infecting things through multiple sources, not just internet related. I fear Sony, in one fell swoop, has changed the trickle into a river of trouble.

Good stuff. But I think you missed a reason -- DMCA fear.

Everybody fixing this rootkit is circumventing a TPM (hmmm, even Sony-- as the aren't the right-holder to all works protected by it...). I'm
not clear at all why any of the disclosures w.r.t. the Sony rootkit are even legal given the precedents of Coreley and Sklyarov. The courts have read the DMCA very straightforwardly. If TPM (a) is circumvented
by software or published technique (b), (b) is in violation. Certainly I don't think it's clear at all that McCaffee and Symantec are in the
legal clear w.r.t. adding the rootkit removal. I sure don't read an "oops" clause in the DMCA (where a publisher can "at will" denounce a
TPM). The only exemption mechanism is a periodic (bi-annual) review by the Library of Congress.

Here's another example. I had a discussion with some managers at a certain large software company.

What if your engineers were debugging your CD drivers, and discovers that certain CD's had invalid (table of contents) TOC's. (A known DRM technique)

What happens if (not knowing that invalid TOC's where intended as a TPM) the engineer 'solves' the invalid TOC issue by acting like a CD player instead of a CD-ROM (the known work-around).

What happens when the company ships the product with the "fix" for the invalid TOC's in the next major boxed revision?

Quite correctly, they all blanched. The costs to recall a major launch, and fines for distributing circumvention tool are quite high. Since the
DMCA makes this (c.f. Sklyarov) a criminal offense the record companies wouldn't even have to go toe-to-toe w/ that certain large company.

I'm quite sure that this large software company ensures that their drivers aren't "too good" in this respect today -- that the "succeeds in
failing" test is part of there validation. (Why else would we still need cdex, hmmm?)

If a company as large as that won't fix CD TOC handling -- why would Symantec and McCaffee want to touch this rootkit with a 10' pole?

Actually I think Sony's been a bit worse than that. Here's a shortlist for others to build upon:

First they install a rootkit without end-user permission (Tresspass to chattels).

Next it turns out that the rootkit interferes with the "anti-cheating" functionality of "World of Warcraft" -- which is TPM preventing unauthorized derivative (hacked copies WoW) works. (DMCA violation)

The rootkit apparently contains pieces of the LGPL'd "Lame" encoder without meeting the publication requirements (Copyright infringement).

Both the original "rootkit" and one of the rootkit uninstaller versions leave a huge security holes on the end-users computer. (Trespass to Chattels and/or Vandalism ... don't know what
law other than civil suits for neglicence -- the EULA limited the damage to $5, but rootkit existance wasn't disclosed in the original EULA).
(see Freedom to Tinker)

Finally, if you press Sony tech support, they will send you instructions to create and non-TPM'd disc (i.e. a real Red Book CD) from there TPM'd CD. "traffic in a ... technology" (DMCA Violation)

Government of the corporation, for the corporation and by the corporation

what can a moderately sophisticated user who is not a professional technologist do? i don't trust big corporations, they write and deploy this code for their benefit, not mine. if i play spy versus spy against microsoft or sony, i'm gonna lose. i wouldn't stand a chance in hell of noticing what mark russinovich noticed. why should i buy a software product i don't fully understand to combat the bad features in another software product i don't fully understand (and which i also bought and paid for!)?
one simple, obvious answer is to move to open source. windows is secret. linux is not. i can pay somebody to look at the linux code and tell me anything i need to know, can't do that with windows. i've noticed lots of funny things about windows, one pet peeve i've never seen commented on is that the disk cleanup accessory sometimes fails to remove 100% of the temporary internet files, and the files left over, the ones i have to go into the individual folders to delete, were put there when i checked my hotmail account, and hotmail is owned by...ahh yesssss!

@Enginer [sic]

"You may recall that it [DMCA] makes it a crime to even try to circumvent copyright protection."

Then it's a crime for Sony, Microsoft, and Symantec to try removing the rootkit, or even to expose its cloaking.

Let's prosecute the big boys!

What I find more intriguing is "is (or was) there a collaberation" between Microsoft and Sony? i.e. Microsofts' EULA says you will not do anything to tamper with "the workings" of its' programs. XCP clearly does that as it works at a very low level.

Now, obviously, while many of us would *love* to see a suit from Microsoft against Sony it is probably likely never to happen, which is why the question *should* be asked, imho.... Not only do we have the AV companies not saying anything about it, and their resultant "removal kits" being tantamount to the same as Sonys', but Microsoft has not stood up and questioned this very bad, ugly piece of software.

If not collaberation, then Microsoft is staying quiet because of the deals it has lined up with Sony for (more) DRM for Media Center & Vista - not to mention the blu-ray saga.

I guess that some of us would like the question to be posed to Microsoft and for someone to respond, otherwise they are guilty by association and equally as liable and culpable.

@another_bruce: "I can pay somebody to look at the linux code and tell me anything I need to know."

I can pay someone to read Chinese for me and tell me anything I need to know ... oh, wait a minute, I don't speak Chinese, so how will I know he is telling me "anything I need to know"?

There's nothing wrong with Linux. but that's a laughable argument for it.

It's hippocrasy at its best. Some kid doing this would be jailed and fined so bad his life would be ruined, but a big multinational corporation won't even be charged. Well, everyone knows microsoft's a joke, but then there's symantec and mcafee. Their security products are supposed to protect your computer from malware, but being american corporations, it's obviously more important for them to play safe and avoid pissing off another big corporation in fear of lawsuits than to protect their paying customer's computers.

I'm sure I am not the only one to have thought of this, but I was wondering, while reading so many articles about the Sony/BMG XCP "copy protection" why they were focusing their anti-piracy efforts on only these 52 CD's? Browsing the list of infected CD's, none of these seem to be very popular or at least any that the "average pirate" would care to buy, let alone copy multiple times and care to share on P2P networks or the like.

My question is, then, has anyone discussed what, of any, information the XCP program returned to Sony/BMG? It seems to me that this was not so much about Copy Protection, or even a proof of concept for DRM, but more of a direct marketing plot. (no, i dont normally wear a tinfoil