Warning: don't buy Sony Music CDs!!!

[bludden]

When Jerry Pournelle talks about computers, it's a good idea to listen.....

Quote:

A WARNING

I have been spending far too much time verifying this incredible story, but it is all true.

I just sent the following letter to all my subscribers:



This is a Chaos Manor Warning. I would be shouting if I were not concerned that it would trigger your spam filters.

You may or may not be familiar with the Sony Music CD Root Kit problem.

Let me begin with the warning: do not buy or install any Sony Music CD on your PC. The records play just fine on other systems. There's no problem with Mac or Linux or with self contained music players.

But if you try to play that record on your CD, it will tell you that you must install the Sony CD player codec (you can't play the record through Microsoft Media Player or any other stuff you have installed on your system).

DO NOT INSTALL THAT SOFTWARE. If you do you may never be able to get it off there short of scrubbing your system down to bare iron, reformatting, and reinstalling everything. I wish I were spoofing you, but I am not. This is a serious warning.

Moreover, if you have given a Sony Music CD to anyone as a gift, and they have tried to play that music on their PC (not Mac, not a standalone player, not Linux, but Windows PC) then their systems are infected, and it is exceedingly difficult -- exceedingly difficult -- to remove that infection in a way that doesn't blue screen of death the PC.

MY ADVICE IS NOT TO BUY ANY SONY MUSIC CD.

I have heard nothing about Sony movie DVD's having any such infection, but it's possible. So far all my Sony DVD's have played with Power DVD and I have not been asked or required to install any special Sony software to play a Sony movie DVD; if I am asked to do so I will refuse, and so should you.

Understand that the Root Kit on the Sony Music CD is a deliberate installation by Sony as part of a Digital Rights Management scheme. They will now, if you jump through enough hoops, send you a patch that will make their scheme visible -- like all root kits, their original installation so infects your operating system as to hide in a directory your operating system literally cannot see or access -- but it still does not remove it.

I'll have more on removal in the column and at another time this being column time. I will also have a

DO NOT BUY SONY MUSIC CD

warning in my Christmas Shopping List in the column.

This is a serious infection: the scheme has actually been used by third parties to hide other malware on systems that have the Sony root kit installed, and others have used the Sony root kit to hide cheat software for World of Warcraft. Even if you think you know what you are doing, you should not fool around with this stuff. It's dangerous, it's very difficult to remove, and there is a very real risk that you will have to reformat your disk and reinstall your OS and everything else.

For more information see:

http://www.theregister.co.uk/2005/11...y_rootkit_drm/

http://www.theregister.co.uk/2005/11...y_rootkit_drm/

http://www.sysinternals.com/blog/200...al-rights.html

The last reference is to the Sysinternals page where an incredulous Mark Russinovich relates how he found the root kit on his system: the root kit has been out for months, and this is the first indication of it's existence.

Sony did a splendid job of stealthing this.

I will have more in the column and on the web page. If you have bought and installed a Sony Music CD on your PC, *you need more help than I can give you*. Start with the Sysinternals page, and *proceed with extreme caution*.

And the best of British Luck to you.

Best regards,

Jerry Pournelle

Chaos Manor

And an addendum: The system "Phones Home". See

http://www.sysinternals.com/blog/200...ecloaking.html

[dgoldbe2]

This is not even the worst of it, there is already a confirmed worm in the wild that exploits Sony's rootkit.

Between this, and the CD's that will not allow you to listen to the CD through iTunes, or put the music on an iPod, I pretty much am boycotting Sony.

[bludden]

The story

Quote:

AMSTERDAM, Netherlands (Reuters) -- A computer security firm said Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.

Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down a computer's firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden -- the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.

"This leaves Sony in a real tangle. It was already getting bad press about its copy-protection software, and this new hack exploit will make it even worse," said Sophos's Graham Cluley.

Later on Thursday, security software firm Symantec Corp. also discovered the first trojans to abuse the security flaw in Sony BMG's copy-protection software. A trojan is a program that appears desirable but actually contains something harmful.

Sony BMG's spokesman John McKay in New York was not immediately available to comment.

The music publishing venture of Japanese electronics conglomerate Sony Corp.and Germany's Bertelsmann AGis distributing the copy-protection software on a range of recent music compact disks (CDs) from artists such as Celine Dion and Sarah McLachlan.

When the CD is played on a Windows personal computer, the software first installs itself and then limits the usage rights of a consumer. It only allows playback with Sony software.

The software sparked a class action lawsuit against Sony in California last week, claiming that Sony has not informed consumers that it installs software directly into the "roots" of their computer systems with rootkit software, which cloaks all associated files and is dangerous to remove.

Sophos said it would have a tool to disable the copy protection software available later on Thursday.

Sony BMG made a patch available on its Web site on Tuesday that rids a PC from the "cloaking" element that is part of the copy-protection software, while claiming that "the component is not malicious and does not compromise security."

The patch does not disable the copy protection itself.

The Sony copy-protection software does not install itself on Macintosh computers or ordinary CD and DVD players.

[FineExampl]

If this is true why isn't it on the news? Doesn't anyone think that purposely infecting consumer computers by a major corporation such as Sony would cause a major upheavel and make headlines? Does anyone realize just how many CDs are put out by Sony?

I call shenanigans on this thread!

btw i checked Snopes and they don't have this listed yet. Can anyone confirm this with references?

[mrbeetlebrain]

It's true alright, the story has been around for about 2 weeks now.

http://www.sysinternals.com/blog/200...al-rights.html
http://www.cnet.com/4520-6033_1-6376...ml?tag=nl.e501

The is probably going to be the thin edge of the wedge as far as DRM is concerned - wait and see what Microsoft have got in store for us with Vista.

[dgoldbe2]

Quote:

Originally Posted by FineExampl

If this is true why isn't it on the news? Doesn't anyone think that purposely infecting consumer computers by a major corporation such as Sony would cause a major upheavel and make headlines? Does anyone realize just how many CDs are put out by Sony?

I call shenanigans on this thread!

btw i checked Snopes and they don't have this listed yet. Can anyone confirm this with references?

This is true.

Sony says it is their right to do this.

[mrbeetlebrain]

Technically when you click on an EULA you have given them the rights to do it - of course nobody reads those things, and nobody would want Sony to root with there machines.

Little Aussie joke there.

[FineExampl]

Is there anything on CNN, MSNBC? Drudge? It's interesting to say the least. Sounds to me like it might be a little bit illegal.

[mrbeetlebrain]

I doubt it would be illegal, definitely immoral though.

However there is talk of a class action against Sony.

[Deserion]

Quote:

Originally Posted by FineExampl

Is there anything on CNN, MSNBC? Drudge? It's interesting to say the least. Sounds to me like it might be a little bit illegal.

Yeah, it is on the news...

-Des

[dgoldbe2]

Quote:

Originally Posted by FineExampl

Is there anything on CNN, MSNBC? Drudge? It's interesting to say the least. Sounds to me like it might be a little bit illegal.

It is illegal in 2 states. California is one, and I believe either New York or New Jersey is the other. At this time no other state explicitly prohibits this type of activity. I believe, the EU, and Australia both have laws against this type of activity as well. Congress was working on a bill which would have prohibited this type of activity, but software companies, and the spyware companies lobbied to have the bill killed.

There is one clause in the EULA which allows Sony to use this rootkit to install what they want, without notice by them to you.

[CaptainXeroid]

Quote:

Originally Posted by FineExampl

If this is true why isn't it on the news?...

It is true, it is on the news, and I bet you'll hear more about it now that Sony has promised to stop doing it. They still claim they did nothing wrong, but I think anyone with a brain knows that is .

[mrbeetlebrain]

As far as I understood it from listening to the Security Now podcast (the person behind the first discovery of spyware) if you gave an okay to the installation in the EULA you had given them permission to install software on your computer, including this.

The problem is those that will exploit this.
http://australianit.news.com.au/arti...nbv%5e,00.html

Now of course if you ran Macintoshes ...

[bludden]

...then they would write the hacks for Apple machines.

[shellbug]

On the yahoo homepage news tonight, it says that Sony is going to temporarily suspend making these cds.

[Whitacre]

It is absolutely amazing what Americans are letting large corporations get away with. Sony is not very apologetic about this faux pas but they are trying to patch it up. This should not be accepted by us and just because people still download music illegally, doesnt mean we should be punished with this kind of crap. I mean, the persons listening to the CD on their computer have obviously legally bought the CD anyway...I can understand the means for it to not get let out on the web or copied onto another CD but jeez...this is getting to far.

[mrbeetlebrain]

Quote:

Originally Posted by bludden

...then they would write the hacks for Apple machines.

yeah right, I don't see mac's suffering from spyware (or malware or virii).

http://macscan.securemac.com/spywarelist.html

[dgoldbe2]

Quote:

Originally Posted by Whitacre

It is absolutely amazing what Americans are letting large corporations get away with. Sony is not very apologetic about this faux pas but they are trying to patch it up. This should not be accepted by us and just because people still download music illegally, doesnt mean we should be punished with this kind of crap. I mean, the persons listening to the CD on their computer have obviously legally bought the CD anyway...I can understand the means for it to not get let out on the web or copied onto another CD but jeez...this is getting to far.

This is only the beginning of what Sony has planned.

Somehow they are planning on putting some sort of protection on Playstation 3 games to eliminate the game resale market. I would suppose they would also somehow try to put this into their music CD's as well. Here is an article

Sony also was researching a method to embed into their CD's some sort of sound that if you rip it to MP3 and try to play it in an iPod, you would get nothing but extremely loud and unintelligble noise. Here is one denial that Sunncomm was involved

Here is an article on Sony preventing Macs from copying CD's

Sony's position on the rootkit? We don't care

Here is the first of what I think will be many lawsuits

[dgoldbe2]

The Sony EULA prevents you from using the music you purchase legally, in legal manners:

Quote:

1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

8. You have no right to transfer the music on your computer, even along with the original CD.

9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

All of these things are currently permitted under current copyright law in the US. Sony has decided that they are going to re-write copyright law to benefit only Sony.


Source: EFF.org

[BlackBug]

I second it being true! Its been around for about a month or 2.