Oh dear. Looks like Sony are being naughty and using rootkit (http://en.wikipedia.org/wiki/Rootkit)-ish techniques in their 'rights management' software that's installed when you use one of their audio CDs in your (Windows-running) computer.

LINK! (http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html)

For those who don't want to read, the stuff they're doing includes not including an uninstaller, hiding registry values, making the DRM stuff load even in safe mode (not good), and filtering the I/O requests from the CD drive. What's worse is that if you try and remove this stuff manually without really knowing what you're doing, you're liable to render your CD drive useless.

All in all it's a bit shitty. I was aware that record labels were doing some pretty dodgy stuff with DRM, but I didn't know it had got to this level.

Opinions?

Edit: There's a piece on this story here (http://www.pcpro.co.uk/news/79491/sony-drm-company-declares-the-issue-old-news.html), including some quotes from the CEO of the company that supplied the software to Sony.

I've only had time to read about half of it so far. Ouch. :\

edit: Finished reading the article now.

That annoyed me quite a lot. Fair enough if it's labelled "copy protected", people will know it's got that, but putting all that cloaking on there - is that even legal?

Bastards.....

I'm a loyal Sony computer customer, but this is just outrageous.

Too far, my friends. Too far.

Sony may be the first to do this.

Rest assured, they won't be the last.

Read (http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html)

It makes me lol that people think this will stop downloading. Filling peoples pcs with crap=angreh customers.

Well its nothing surprising, not anymore, you go and read some of the wonderfull EULA's out there, I mean actually read the bastards, some include such gems as 'We are allowed to make any amendments to this EULA without the users knowledge' basically meaning that once you agree to that EULA they can do anything they like through that program and you have already agreed to let them do so, its rather nasty really.

Shitheads.

It's bad enough with the amount of Spyware, Adware, Viruses, Worms etc. that there is on the internet already without such things as this being distrubuted by large companies.

Really there should be laws passed that don't allow such goings on.

I was interested to find that the kernal can't be patched on AMD64 systems though and I'm liking that. :)

What's even more exciting about this, is that they commissioned a UK company to create this software. And as is pointed out somewhere in the 900 comments, this would appear to severely clash with the computer misuse act.

As was also pointed out in the comments, I'm glad I use a Mac :D

Great. Now we have to worry about getting malware from so-called "Trusted" companies.

Great. Now we have to worry about getting malware from so-called "Trusted" companies.
Not only that. We have to worry about getting sloppily written malware from trusted companies.

I've edited the first post with a link to another article about this story. This one includes quotes from the CEO of first4internet, the company who supplied the DRM software to Sony.

Anyone who has a Sony USB Minidisc player will know the dodgy stuff they're doing with DRM - I'm a long time sufferer of SonicStage (lovingly referred to as SonicShit). If you have it you know what I mean, if not, just don't go near it. Ever.

i know i personally will be avoiding sony CDs in the future, alas they have some good artists...

I've edited the first post with a link to another article about this story. This one includes quotes from the CEO of first4internet, the company who supplied the DRM software to Sony.

ROFL.

first4internet?

jesus h. christ, that SOUNDS like a spyware company.

Seriously, can any of you imagine running Ad-Aware and seeing "first4internet" popping up with a TAC of infinity?

http://www.xcp-aurora.com/

Eww. I mean, eww.

It hasn't taken long for Sony's little rootkit to be misused!

World of Warcraft hackers using Sony BMG rootkit (http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/)

I think Sony deserve a big round of applause for providing us with such an easy to use rootkit! No really.

It hasn't taken long for Sony's little rootkit to be misused!

World of Warcraft hackers using Sony BMG rootkit (http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/)

I think Sony deserve a big round of applause for providing us with such an easy to use rootkit! No really.
Good Link.

Doesn't surprise me in the least, a kernal patch that hides processes is NEVER a good thing.

Well.. this was inevitable. Sonys being sued over it.

http://www.theinquirer.net/?article=27508

Hmm. Hopefully that will put a stop to all this. However, there're still going to be some "rootkitted" CDs out there for sale for a while, surely?

More idiocy from Sony and First4Internet:

http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html
http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html

Hmmm. Nice little article this morning.

said by The President of Sony BMG's global digital business division, Thomas Hesse
Most people, I think, don't even know what a rootkit is, so why should they care about it?" he huffed.


Full Article (http://www.theregister.co.uk/2005/11/09/sony_drm_who_cares/)

:rolleyes:

Well, there you have it, if you dont know about it, it cant harm you obviously. If thats the professional position of the industry these days, Im going to go live in a small shack on the moon.

Hmmm. Nice little article this morning.

Full Article (http://www.theregister.co.uk/2005/11/09/sony_drm_who_cares/)


A support manager at an IT department in a medium sized corporation told us that a CD-borne infection of Sony DRM is already causing his team headaches.

This is what I was worried about, another headache for us IT bods, as if viruses, spyware and dumb users weren't enough. I wonder if you need admin rights to install, I certainly hope so.

And what happens a few years down the line when the CD is used on a copy of Windows 200x or (whatever MS call thier post-vista OS). Does it trash it? Probably.

What were they thinking? The likely problems were blindingly obvious even to me! It's pretty clear that Sony Music don't give a toss about their customers.

Grrrrrrrrrr! :mad:

(I'll have to go and lie down now)

for all those people worried that the next cd they plonk in their cd drive will fuck up their system heres a list of files using sonys killing tool:

http://www.eff.org/deeplinks/archives/004144.php

woops dubble post bollokssorrypargkthnxbye..

some spyware scanners are adding the rootkit to there blacklist and blamming the fuck out of sony the bastards..

http://blogs.zdnet.com/Spyware/index.php?p=698

software that's installed when you use one of their audio CDs in your computer.
For once I hope -- and assume -- that it's a na(t)ive win32 application with no Linux version.

Meh. To date, I have ripped many so-called copy-protected CDs in Windows using CDex, with no trouble - even CDs that are known to have hard-to-defy copy protection.

Also we'll assume that there's no Linux version, cos that way I'm happier ;)

Lol @ WoW. :D

And yay for Sony being sued. \o/

For once I hope -- and assume -- that it's a na(t)ive win32 application with no Linux version.
You're right - Mac, Linux and probably others just recognise it as an audio CD. I've edited my first post.

Well gosh! Would you look at that!

http://news.bbc.co.uk/1/hi/technology/4424254.stm

\o/

http://news.bbc.co.uk/1/hi/technology/4424254.stm/
First thing I thought when I read that article this morning was "Who would want to copy a Celine Dion CD?!" :)

Celine Dion, why the long face?

[/Harry Hill]

Actually, surely the article should read:

"Sony Music BMG sued over Celine Dion infection on rootkit cd."

The below article taken from here (http://www.eff.org/deeplinks/archives/004145.php)

If you thought XCP "rootkit" copy-protection on Sony-BMG CDs was bad, perhaps you'd better read the 3,000 word (!) end-user license agreement (aka "EULA") that comes with all these CDs.

First, a baseline. When you buy a regular CD, you own it. You do not "license" it. You own it outright. You're allowed to do anything with it you like, so long as you don't violate one of the exclusive rights reserved to the copyright owner. So you can play the CD at your next dinner party (copyright owners get no rights over private performances), you can loan it to a friend (thanks to the "first sale" doctrine), or make a copy for use on your iPod (thanks to "fair use"). Every use that falls outside the limited exclusive rights of the copyright owner belongs to you, the owner of the CD.

Now compare that baseline with the world according to the Sony-BMG EULA, which applies to any digital copies you make of the music on the CD:

1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."


3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.


4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.


5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.


6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.


7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.


8. You have no right to transfer the music on your computer, even along with the original CD.


9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.


So this is what Sony-BMG thinks we should be allowed to do with the music on the CDs that we purchase from them?


I'm hating them more and more.

It just gets better and better...

"A first wave of malicious software written to piggyback on Sony BMG Music Entertainment CD copy protection tools has been spotted online" (http://news.zdnet.com/2100-1009_22-5944643.html)

At this rate we are going to have to use a license key & electronic registration every time we want to play a cd. No matter what the legal / moral pros & cons of downloading music are, this gives the public a really good reason to get ripped copies through p2p, etc.

The simple answer still seems to be "disable autorun", then use CDex or EAC or whatever to mp3 it. So just hold that [shift] button whilst inserting affected (infected?) cds.

All a bit futile. And look at the artists affected so far... I can't imagine this kind of thing ever appearing on a SOAD cd anyhow. So I'm good for now :)

Big rant coming up, be warned :p

Argh! Does anyone else feel like they're getting strangled by companies "enforcing their digital rights", as if we're automatically criminals by buying their music? I know they want to protect their "digital content"*, but this is really going too far. Has the situation got so bad that they have to use a rootkit to stop pirates?

I admit, I've bought a copy-protected CD before - I didn't realise until I got it home. Fortunately, it wasn't one of the Sony XCP or SunComm ones, but even so, I was annoyed about the "fair use" aspect: I'd have to insert the disc every time I wanted to play it on the computer. I don't like being penalised like this for other people's piracy. :(

Why are we as consumers letting powerful companies lead us down the road towards what I see as "complete media lockdown"? Doesn't it feel like one day we'll all have individual, compulsorily fingerprint-passworded MP3 players, with 2048-bit encryption, so that you can ONLY listen to a song if you pay for it first - no lending, no plugging into a HiFi at school, everyone who listens pays. Everyone would be in their own musical bubble; expression and most importantly fun and enjoyment would be limited - defeating the very purpose of music! That idea depresses me so much. I know it's a wild exaggeration, but it still makes me feel very constrained.

I don't condone piracy, I should make that clear. However, the concept of "fair use" is being trodden all over by these companies. And because they monopolise the production of a particular CD by a particular band, and because we can't buy the recording without all this copy protection, we have to agree to all sorts of stupid EULAs - I cringed at that one posted earlier in this thread. And by agreeing to the EULA, we get a lot of rubbish installed on our computers. Anyway, the CDs are very badly marked in terms of warnings: unless you knew about copy protection, you wouldn't know you had anything to fear.

Why can't it just be how it always was: buy a CD you like, listen to it on a "portable CD player"**, rip it to your hard-disk, rip it to an MP3 player, whatever you want to do with it, within "fair use"?

Maybe if record companies had been faster in setting up legal download sites, much of the piracy they're trying to deal with now could have been averted at an earlier stage. However, now, there're competing formats, competing licenses, so many complications: why can't they just say: "pay your money, then we send you a secure link; you can choose the OGG file or the MP3?", without all these new formats which are incompatible with anything made in the past, and with any rival brand's player? It's unfair how digital media companies seem to "lock in" customers by making formats slightly better than the old ones, but completely incompatible, so everyone has to use their product.

If big companies insist on "feeding" music to us how they want it, I can't see the future of music being as enjoyable :(

Anyway, sorry about the length of this post; I went off on a tangent. I had to get it all out of my system though. :)

*For some reason I hate the phrase "digital content" - it has connotations of "pay per listen", and "you can only listen to it under our EULA" :\ Why is music "consumed"? It should be enjoyed, like an art form, not "consumed" - that word has such a cold, commercialist tone in this context :(

**Ironically, mine's a Walkman :p

And its over.. Sony are suspending the production of cd's with the rootkit on them!

Its amazing that they even started it anyway!

http://news.com.com/Sony+halts+production+of+rootkit+CDs/2100-1029_3-5946825.html?tag=nefd.top

Yay :)

Win !

A good step from Sony, but still worrying that they did not seem aware of the fact that this was a problem before someone brought it to their attention.

Here's some more news on the evil sony thang:

http://www.newscientist.com/article.ns?id=dn8307

Microsoft are going to include detection and removal of the rootkit in thier anti-spyware package and in Decembers malicious software tool.

BBC News Article (http://news.bbc.co.uk/1/hi/technology/4434852.stm)

I think that probably just about puts the final nail on the coffin of the XCP system. Well done MS.

Sony breaching Open source licences ?

http://www.gamedev.net/community/forums/topic.asp?topic_id=357865

Microsoft are going to include detection and removal of the rootkit in thier anti-spyware package and in Decembers malicious software tool.

BBC News Article (http://news.bbc.co.uk/1/hi/technology/4434852.stm)

I think that probably just about puts the final nail on the coffin of the XCP system. Well done MS.

Good news :)

Well done Microsoft? Ah, lesser of all evils and such and such.

Well done Microsoft? Ah, lesser of all evils and such and such.

Yup, if you told me a week ago that I'd be congratulating MS I wouldn't have believed it. But credit where credit is due.

Anyway, making security holes is their job. (Ohh, cheap dig!)

People in America that really hate Sony. Always wanted to fuck Sony in the ass but never had the proper equipment? Well just go grab yourself one of the DRM'd CD's before Sony pull them from the shelves. Then you got yourself your very own class action strap-on.

Surely they'd just say that you "obviously knew what it would do", so it was "your own choice, and your own fault"?

There is already a class action law suit going on, 2 if my memory serves. Get yourself one of those cd's and your in. How are they going to proove when you purchased the CD?

People in America that really hate Sony. Always wanted to fuck Sony in the ass but never had the proper equipment? Well just go grab yourself one of the DRM'd CD's before Sony pull them from the shelves. Then you got yourself your very own class action strap-on.
I know you were semi-joking, but that raises quite a good point. If I were to buy one of Sony/BMG's rootkitted CDs and let it do its thang on my computer, am I any less entitled to bring, or be part of, legal action against Sony and/or First4Internet, given that I know full well what it's going to do to the system? Does the fact that I knew what it would do beforehand render my case void, or does the fact that the effects aren't mentioned anywhere in the EULA mean I still have a case?

I know I'd have to be criminally stupid (or a security researcher) to do this, but I'm just thinking hypothetically. Any law-type-people got any ideas?

You can sue anything without an obvious warning on it. Like that woman who sued McDonalds for her coffee being hot - and she won

I'd say that yes, if you get a rootkitted CD and dispose of the receipt then you've a good chance of winning any court action against Sony.

EDIT: Just remembered. Besides, they're Sony, FUCK obvious warnings.

Good point that girl (I'd rep but I need to spread the love).

I guess short of looking at my hard disk for cached copies web pages I'd visited on the topic (which I doubt they'd be allowed to do, seeing how I wouldn't be the defendant), it would be pretty hard to prove I had prior knowledge of what would happen anyway. Even if they did do that they'd have to prove it was me using the PC.

This might be of interest: I wasn't sure it it deserved a new thread, so here it is anyway: the government is willing to listen, apparently:

http://management.silicon.com/government/0,39024677,39154238,00.htm

A 16-year-old's opinion on DRM is as welcome as Microsoft's