There's more on this here as well. Rootkits are really hitting below the belt. Maybe a class action would get their attention?

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

Grohaz, you do know that SONY Media Software and SONY BMG Music have about as much to do with each other as PepsiCo and Honda do, right?

Gee, I don't know, Kelly. I've seen an awful lot of folks toolin' around on Honda motorcycles, drinking Pepsi and eating Kentucky Fried Chicken. ;o)

actuatly, wouldn't it be more like Sony Media Software is to Sony BMG as the CIA is to the IRS? ;)

KFC has caused cancer in rats when one was injected with the contents of an 18 piece bucket in 42 seconds. I'd stay away from that.


Sean
------------------------------
broadcast voiceovers

Actually, if they did add a rootkit to Vegas, I would want is as a check box in the Render As... dialog.

[ ] Add rootkit to MPEG2 so no one will steal your content

. When can we get this feature? ;-D

~jr

DRM this, Sony!

By Molly Wood, section editor, CNET.com
Thursday, November 3, 2005

I hope this is the week that everyone in the world finds out what a root kit is. And I hope it's a week we look back on in amazement, as we consider just how far Sony was willing to go to criminalize consumers in its efforts to preserve control over its product. Because I believe this is the week that Sony effectively declared war on the consumer, announcing what most of us had already suspected: fair use is a joke in the movie and record industry, and the companies who control mass-market content will truly stop at nothing to protect their profits.

We're not gonna take it
But let me start at the beginning. On Monday, October 31, alert users discovered that Sony BMG is using copy-protected CDs to surreptitiously install its digital rights management technology onto PCs. You don't have to be ripping the CD, either--just playing it from your CD-ROM drive triggers the installation. The software installs itself as a root kit, which is a set of tools commonly used to make certain files and processes undetectable, and they're the favored tool of crackers who are, as Wikipedia puts it, attempting to "maintain access to a system for malicious purposes." In fact, root kits are often classified alongside Trojan horses. And Mark Russinovich, who created a root-kit detection utility and was one of the first to blog about the Sony intrusion, discovered another little gem when he tried to remove the DRM drivers. It broke his computer--disabling his CD drive.

So, let's make this a bit more explicit. You buy a CD. You put the CD into your PC in order to enjoy your music. Sony grabs this opportunity to sneak into your house like a virus and set up camp, and it leaves the backdoor open so that Sony or any other enterprising intruder can follow and have the run of the place. If you try to kick Sony out, it trashes the place. And what does this software do once it's on your PC? Well, here is (via David Berlind's excellent breakdown of the issue) what Amazon's CD listing page has to say on the subject:

"This product limits your ability to make multiple digital copies of its content, and you will not be able to play this disc or make copies onto devices not listed as compatible. Content/copy protected CDs should allow limited burning, as well as ripping into secure Windows Media Audio formats for playback with most compatible media players and portable devices. In rare cases, these CDs may not be compatible with computer CD-ROM players, DVD players, game consoles, or car CD stereos, and often are not transferable to other formats like MP3."

So it's not just the black hat tactics. The DRM itself is almost unbelievably restrictive, and some have suggested that the reasoning behind it is part of Sony's ongoing war over digital music supremacy with the decidedly more supreme Apple. Here's how Engadget summarizes a recent article from Variety: "The new copy protection scheme--which makes it difficult to rip CDs and listen to them with an iPod--is designed to put pressure on Apple to open the iPod to other music services, rather than making it dependent on the iTunes Music Store for downloads." I wish I could say that was a joke, but apparently, it's not. In fact, some of the artists involved didn't give permission to Sony to use the backdoor DRM technology, and want no part of it. Amazing.

Happily, and despite the use of scary words like root kit, this story hit the Web in a big way. The PR for Sony is, shall we say, not good. By Wednesday, November 2, Sony had announced that it would, in conjunction with the company that developed this bad black hat idea in the first place (First4Internet) release a patch to antivirus companies so that hackers wouldn't, hopefully, be able to take advantage of the backdoor they just opened on your property. So, that solved the most immediate concern, but the only thing the patch does is reveal the antipiracy software. Presumably, you'd suffer the same PC-crippling effects if you tried to remove it, and Sony continues to insist, despite plenty of evidence to the contrary, that its components weren't harmful in the first place. As for the insanely draconian copy protection--it's still cheerily intact.

No, we ain't gonna take it
This is an unacceptable development in digital rights enforcement. I don't know how to put this any more clearly. Don't get me wrong--we've long since crossed the line. It's utterly absurd that we accept paying for music that will play on only one or two digital audio players, at best. It's absolutely insane that anyone ever tried to put out a CD that couldn't be ripped to a PC at all. It's a complete joke that we're sitting around anticipating the day when TiVo comes along to tell us when we have to watch a recorded show, and that it will choose when a recorded show might be deleted. I can't even believe cell phone carriers think it's OK to cripple cell phone features in order to protect their own moneymaking propositions. And Hollywood's proposed new Analog Hole legislation, which would criminalize nearly every digital video activity you can think of, is another column unto itself, and it's going to be a long one.

But this--using the tactics of criminals to invade our PCs without our knowledge and to expose us to further attack, just so you can keep us from, say, burning a mix CD and giving it to our friends--this is beyond the pale. And as many news sources are beginning to point out, there's some reason to think it might also be illegal, under the U.S. Computer Fraud and Abuse Act.

We're not gonna take it...anymore
Companies: You will never get the increasingly technology-aware, mass media-consuming populace to support your right to copy protection or digital rights management unless they are on your side. And because we are increasingly technology aware, your ever-increasing assault on not only our fair use but also our common sense will virtually guarantee that we use our God-given ingenuity to find a way around whatever bizarre restrictions you see fit to impose. Why? Not because we're dying to break the law, but because you have sold us a crappy product, and, fundamentally, because it is not our responsibility to protect your profits.

What's the solution? In the near term, for us, it's not to buy any Sony CDs, and maybe not any Sony anything. In the longer term, it's to start agitating for a rewrite of copyright law in the manner so eloquently suggested recently by Walt Mossberg of the Wall Street Journal. He suggests copyright law with actual teeth that can chomp on massive-scale piracy, but with broad exemptions for personal use, because excessive DRM is hampering innovation and alienating consumers. I couldn't put it any better. And companies? Sony? Are you really going to tell us that overhauling these outmoded rules is harder and more destructive than suing retirees over honest mistakes made by their 12-year-old grandsons? This is the path you're going to choose?

I'm truly sorry that there are, out there in the world, mass-production piracy operations that are digging into your bottom line, but you know what? I'm not one of them. Neither are most of the people who will be laboring under the nasty little flags, Trojan horses, and FairPlay/Plays For Sure doublespeak that you see fit to slap on the stuff we legitimately purchased.

And you know who's not going to labor under those restrictions? You know who's not even going to notice? The mass-production piracy operations, that's who. You know it, and I know it. So why are you engaged in this nickel-and-dime, small-time thrust-and-parry with me and my friends? Trust me, you're not going to make back the money by dropping viruses onto my PC, because my almighty dollar and I are going elsewhere--and you're probably not going to like where I end up.

Technology will march on. Technology is the reason we're in this fix in the first place, and technology will keep on giving us solutions to whatever irritating, invasive, and potentially illegal roadblocks you keep throwing in our path. And damned if we and our almighty dollars, no matter how long it takes, don't eventually win these little wars.

And why should we listen to CNET , a site which has been teaching people for years where to go and how to download illegal music?

And how many rootkits and other crap has been installed through those very p2p networks CNET recommended at one time or another.

Obviously, not defending Sony, but CNET should keep quiet.

"Obviously, not defending Sony, but CNET should keep quiet."

I disagree. While CNET has done its fair share of harm, anything anyone can do (media, businesses, web forums, etc..) to get the word out there and inform the public is needed.

Lets face it. How many people went out and bought a computer because a friend told them they could download free music and movies? To fault CNET for spreading information is wrong. While not very ethical, many readers have and still continue to read their articles.

>>To fault CNET for spreading information is wrong.

I don't fault them for that. They could have simply said Sony CD installs rootkit and a short explanation.

But this woman is going beyond that, preaching and taking some kind of a moral high ground while her employer ( perhaps even her directly ) have done a lot more damage in the last 10 years or so.

What Sony has done is here is particularly loathesome:

installed a rootkit without user permission (the EULA does not make this clear)
lied about installing the rootkit
lied about their "removal tool" (doesn't actually remove the rootkit)
used their "patch" to install more unwanted software on user's machine (i.e. the ActiveX control)

Sony got caught attacking their customers and instead of owning up to the fact lied about it and then added insult to injury by trying to add in even more malware.

Whether CNET is cool or not is irrelevant to the issue at hand. I would not be surprised if there are Sony employees who think this is malicious if not outright criminal behaviour on the part of their employer.

So the original question stands. . .is Vegas being used to install this backdoor sofware as well? Considering how MovieStudio is pitched it wouldn't surprise me. Definitely means you need to be very cautious about installing or using any Sony products on your PC since you have no way of knowing what the ramifications will be (Can you say bluescreen? How about remote compromise?)

Cheers

Please keep us posted on this topic. I love Vegas, but will go Avid in a heartbeat if Sony is spying.

> And why should we listen to CNET , a site which has been teaching people for years where to go and how to download illegal music?

Actually, one of the funniest things I ever read on CNET was an article about Internet security and how they strongly recommended that you turn off cookies and JavaScript in your browser. So I did... and the CNET web site stopped working!!! I laughed so hard I cried. It was hilarious that they published an article on how to disable browsing their own site. (Oh yea, they are smart ones... can’t fool them)

If you want to blame someone or boycott someone in all this, blame Microsoft for having a wimpy operating system that allows the kernel to be hacked and can’t even detect it. If you looked at the kernel dumps in the sited articles, it was pretty obvious that it had been hacked. Yet the Windows OS is fat, dumb, and happy allowing this to happen and not even bothering to check to make sure no unauthorized code is running at kernel level security. The Windows OS is a joke and customer should be mad at Microsoft for allowing rootkits to even work!

All the more reason to abandon Windows and adopt Linux as the desktop OS of choice. ;-)

~jr

All the more reason to abandon Windows and adopt Linux as the desktop OS of choice. ;-)

Except that if we all did that then everyone would hack Linux, but until then I guess you are a lot safer.

While I have no love for Microsoft (being a convicted predatory monopolist), in this case the fault is squarely with Sony. They specifically instruct the user that you need to log in as an administrator to install the player required to access the content on the CD (under Windows).

http://cp.sonybmg.com/xcp/english/requirements.html

"To listen to the music on this disc, you need a PC with the following minimum system requirements:

* Logged in with Administrator rights"

That is the same as sending you a trojan executable disguised as a "cool CD player program" with a note saying you need to be logged in as an administrator to install it (oh wait, that's what Sony did). The non-geek out there will not understand that being logged in as admin means that whatever they run can wreak havoc on their PC nor would they have guessed that Sony was up to something malicious.

If you are logged in with admin rights on *any* system (Winodws, MacOSX, Linux, FreeBSD, etc.) then you functionally are allowing anything you run to have full access to the operating system. That is the whole point of having an account with administrator rights.

The only time you should be logged in as an administrator is when you are performing admin type duties. The only reason Sony needs that access in this case is so they can install their rootkit, er "MUSIC PLAYER 1.0" as they prefer to call it.

Cheers