Sony’s Rootkit
You may have read about Sony/BMG putting rootkits on some of their music cds. (The original discovery was revealed by Mark Russinovich on his blog. Today, he posted a follow-up. Mainstream coverage is here, here, and here. There’s a good discussion on the Security Now podcast, number 12.)
Basically, rootkits are pieces of software that change the operating system in order to hide themselves and what they are doing. For example, they can intercept directory calls, thus hiding files from the operating system and from any software using the operating system. This makes it virtually impossible to see them from within. And once the operating system is compromised in a way that is invisible to users, all bets are off.
It’s bad enough that Sony would do this without giving users adequate notification. But the system they used – licensed from a company called First 4 Internet – did this in a particularly clunky way. Any file starting with the prefix $sys$ would also be hidden from the operating system, leaving the computer open to other hacks that would themselves be hidden.
Last week, on an NPR interview, a Sony executive downplayed the controversy, saying: “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” Words to live by, I guess, because nothing can hurt you unless you know about it.
Update: EFF has a page with useful information including a list of cds known to contain the software. (hat tip: boingboing)
“Most people, I think, don’t even know what a rootkit is, so why should they care about it?”
This could become a real classic. I suggest a competition: “Most people, I think, don’t even know what a _______ is, so why should they care about it?” Fill in the blank.
You beat me to it, Kieran :)
Most people don’t even know what the inferior vena cava is, so why should they care about it.
OK, that does it. I’m not giving another penny to these greedy bastards – Kazaalite here I come.
Looking at the list of CD’s containing the software, I don’t know what’s worse: to have the Rootkit installed on your computer, or to have to listen to the shitty crap major labels like Sony release nowadays.
A blog devoted to the issue is here: http://www.boycottsony.us/
Most people don’t even know what their encephalon is, so why should they care about it?
You mean Sony wants to 0//n my b0x and this isn’t a prosecutable offence?
It strikes me that if I didn’t know about it, they didn’t tell me, so that’s definitely cracking. How can this be other than illegal?
Well it sounds like the hack will only get installed after you click “OK” on a dialog box that pops up when you insert the CD in your drive. So I reckon that counts as them telling you about it.
Any file starting with the prefix $sys$ would also be hidden from the operating system, leaving the computer open to other hacks that would themselves be hidden.
I wonder if Sony is really ready for a class action suit for them to pay the costs of fixing every system hit with a virus using the hole they are creating?
On the other hand, it would be a great boon for the service industry to be going door-to-door fixing computers …
Sounds like just the sort of thing the UK’s 1990 Computer Misuse Act was written to prosecute:
computer material.
” 1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.”
Unauthorised modificatio is also an offence, and jurisdiction is not limited to acts originating in the UK.
How is it possible that the companies don’t anticipate the gigantic PR shitstorm that is absolutely inevitable when try to pull something like this? This is not only going to hurt Sony in the music business, it’s going to hurt their brand in every market they’re in. These people are absolute morons. Truly mind-boggling stupidity.
That’s the potential downside, but what’s the upside? What does Sony stand to gain from planting dodgy software in its customers’ computers?
What does Sony stand to gain from planting dodgy software in its customers’ computers?
The opportunity to sell you patchcode at a rediculous markup.
> How is it possible that the companies don’t
> anticipate the gigantic PR shitstorm that is
> absolutely inevitable when try to pull something
> like this? This is not only going to hurt Sony
Becuase the “gigantic PR shitstorms” go away in a few weeks. At worst they sign a consent decree promising not to do some insignificant portion of what they were doing, then go buy a law to reverse the consent decree. The MSM forgets within 2 weeks and they go right back to doing what was criticized so heavily – but no one pays attention.
Cranky
This is not only going to hurt Sony in the music business, it’s going to hurt their brand in every market they’re in. These people are absolute morons. Truly mind-boggling stupidity.
What Cranky said.
And Sony may have some absolute morons, but they know that a large portion of the public, with money, are more moronic than they are, won’t care that their PC has been rooted and will continue to send Sony BMG money for CDs that root their box.
Humans are not very good at rationally steering away from something that is very good in the short term but will fuck you in the long term. They usually need force or belief to not give in to temptation.
[...] Just lovely, this is. [...]
What Cranky said.
And Sony may have some absolute morons, but they know that a large portion of the public, with money, are more moronic than they are, won’t care that their PC has been rooted and will continue to send Sony BMG money for CDs that root their box.
In this case, I don’t think so. Having their computers infected by malware is one thing that frustrates people greatly and to which broad stretches of the population are sensitive. Hearing that Sony is infecting their computers with the same technology that hackers use (and that may make it easier for other hackers to infect their computers) is something that I don’t think most people will ignore. But we’ll see.
I think Sony shared Cranky’s views and the recording industry has often been right that in their view that customers don’t care about Digital Rights Removal techniques, but they’ve also been wrong, as the absence of DIVX players in today’s marketplace shows.
Currently, there are class action suits in California and New York and the Italian government looks like it’s going to intervene too. Virus researchers are analyzing malware that’s already using the Sony rootkit’s functionality for its own needs. Computer Associates’ spyware detector (PestPatrol) now detects it as Spyware.
“Most people don’t even know what a myocardial infarction is, so why should they care about it?”
… and of course the obvious:
“Most people don’t even know what corporate malpractice is, so why should they care about it?”
“Most people don’t even know what caveat venditor is, so why should they care about it?”
Ah, I hope they throw the (red) book at SonyBMG (and F4I) for this crap. In recent years, the courts in both the US and EU have been making examples of corrupt corporations as a warning to others not to flout tax/accounting laws.
Now let’s hope they make an example of SonyBMG/F4I not to flout IT/technology laws too…
So let’s see…I’m sitting in a nuclear power plant in NY and thinking “I sure would like to hear some nice music right about now”. I just happened to have picked up a brand new CD at Mal-Wart and it’s totaly awsome dude.
“Most people don’t know what a weapon of mass destruction is so why should they care about it?”
Or is that already in the public domain?
re mrjauk’s entry:
“Most people don’t even know what the inferior vena cava is, so why should they care about it.”
Is it a cheap bottle of Spanish sparkling wine?
Most people don’t know what my secret invention is, so why should they care about it?
Hahahaha!
Hahahahahahahahahahaha!
Microsoft have now labelled the rootkit as spyware. More here:
http://blogs.technet.com/antimalware/archive/2005/11/12/414299.aspx