p2pnet - rss feed: Sony BMG DRM disaster worsens
p2p news view / p2pnet: The Sony BMG DRM spyware farce has become a full-scale, full-blown disaster not only for Sony, but also for its brethren in the movie and music industries.
Just about anything that can be said of one cartel member can be said of the others, although admittedly only Sony BMG has been caught in such a blatant and outrageous violation of the rights of its customers.
The damage is already enormous. There are new revelations every day and among the latest, “Sony is infringing the copyright of several open source projects,” DVD Jon Lech Johansen points out on his blog.
“Matti Nikki who has been doing research into this mailed me to let me know that some of the code Sony has ripped off is the FairPlay code that I wrote for VLC.”
And a Sony sales site was hacked and defaced.
As Slyck’s Tom Mennecke sums it up, “The record label’s entire philosophy on P2P networking, Internet piracy and DRM has been effectively destroyed.” >>>>>>>>>>>>>>>>>>>>>>>>
Damage Runs Deep With Sony-BMG Fiasco
By Tom Mennecke - Slyck
Trying to gauge the damage caused by Sony-BMG’s rootkit DRM will take years to comprehend. The gaping wound caused by Sony-BMG exists well beyond infected computers, security problems, and a tarnished reputation.
“While these P2P services would have users believe they simply offer an easy way to download movies and music, they really do much more. It is well-documented that using these services can lead to user’s computers being infected with spy ware and viruses. Often, unwitting users have their most sensitive, private information exposed to unfriendly eyes around the world. Further, P2P systems have been used by pornographers as an easy avenue to reach children.”
This argument by the copyright industry has been annihilated. Computer Associates labeled Sony-BMG’s rootkit as both spyware and a trojan horse. Minimum estimates suggest as many as 500,000 individuals have Sony-BMG’s rootkit DRM installed – far exceeding any infections caused by P2P networking.
Even without an official label by Computer Associates, the public perception of Sony-BMG’s rootkit is that of distrust. In an ironic twist of fate, computers infected with Sony-BMG’s DRM software run the serious risk of being exposed to malicious software. Considering the files Sony-BMG use are hidden from anti-virus and anti-spyware applications, any virus writer can write an identically named file and exploit an untold number of computers.
The copyright industry has also preached from a moral standpoint. Believing there is a parallel between downloading a file from the Internet and physically stealing a CD from a music store, both the music and movie industry have accused file-traders of moral corruption.
“This is not just about online versus offline,” said Hilary Rosen, former president and CEO of the RIAA. “Most in the online business community recognize that what Napster is doing threatens legitimate e-commerce models - and is legally and morally wrong.”
Much like the virus argument, the “moral” argument has also been vanquished. The reason why Sony-BMG found itself in so much trouble is because they hid information – otherwise known as deception – and thought they could get away with it. The specifics of Sony-BMG’s rootkit were never disclosed in the EULA, and they certainly did not disclose the consequences of its removal. Whatever moral standpoint the copyright industry had was effectively nullified when Sony-BMG and First4Internet inked their deal.
Although Sony-BMG succeeded in negating the music and movies industry anti-P2P argument in one swift stroke, that’s not the extent of the damage. The music and movie industry’s Digital Rights Management (DRM) campaign – once shrouded in secrecy – has also suffered irreparable harm.
DRM (Digital Rights Management) is a blanket term used to describe copy protection on any digital medium. The protection can be simple, such as blocking unlicensed search terms, or very complex, such as First4Interent’s XCP (extended copy protection.) The deployment of DRM can be considered secretive because very few individuals are actually aware of it.
During a recent anti-DRM protest in New York City, a wide majority of individuals were unaware that such copy protection even existed.
Sony-BMG managed to change all of that.
The last thing record labels want is a tremendous amount of attention drawn to the implementation of DRM. As if Sony-BMG’s actions weren’t bad enough, drawing negative publicity to the DRM issue on only compounded the situation.
Now people are very aware of the Sony-BMG fiasco and the implementation of DRM. What was once largely invisible to the average customer has been shot right into the spotlight. The term “DRM” is now associated with malignancies such as ‘virus’, ‘malicious software’, ‘deception’, ‘arrogance’, ‘distrust’, and ‘trojan.’
This situation has already delayed the implementation of DRM on CDs. Sony-BMG has ceased the manufacture of CDs with XCP software, and does not expect to reinstate their DRM policy until sometime next year. Other record labels are also coming under increased scrutiny for their DRM products, forcing EMI to state, “We don’t use rootkits.” With so much public scorn now directed towards DRM, record labels are facing the very real possibility that DRM in its current incarnation can no longer manage to exist.
Sony-BMG has managed to accomplish in 16 days what bloggers, the Electronic Frontier Foundation, writers, journalists, and niche sites have been working on for years. Sony-BMG has destroyed the music and movie industry’s arguments against P2P, and brought mainstream attention and public distaste to the DRM debate.
===============
First they ignore you, then they laugh at you, then they fight you, then you win
- Mohandas Gandhi
Tired of being treated like a criminal? They depend on you, not the other way around. Don’t buy their ‘product’. Do bug your local political representatives. Use emails, snail-mail, phone calls, faxes, IM, stop them in the street, blog. And if you’re into organizing, organize petitions, organize demonstrations and then turn up on your local political rep’s doorstep, making sure you’ve contacted your local tv/radio station/newspaper in advance.
November 18th, 2005 at 12:33 am
The pretty veneer of corporate-government alliances id finally being stripped away.
The ugly beast has finally shown its face. This is only the tip of the iceberg when it comes to the rampant corruption withing the government and cartel alliance. If this doesn’t cause people to wake up, there is very little that will.
November 18th, 2005 at 1:04 am
After a long period of ‘political’ correctness and following the illogical notion of “unbiased reporting” (as if criminals should have an equal right as the victims to tell their side of the story) its good to see SlyckTom break loose and tell it like it really is.
Of course, we can always rely on P2Pnet for that
November 18th, 2005 at 2:28 am
I don’t think the whole story has yet to be told. There is one heck of a lot of foot dragging that went on and is still going on.
Sony has yet to admit wrong doing though they are making moves that would indicate they know well it is wrong, such as recalls and teh removal of the rootkit from use without saying that is the purpose. Instead they have merely mentioned they are “reevaluating”.
Where was the lamescream media in all this? It was far after folks on the net were raising cain before the first article had appeared. They were waiting to see if the hubbub would die down and blow over before mentioning a peep.
After the showing up of a virus using the rootkit to hide, no one is after Sony for malware that enabled it to hide. Why?
This hasn’t just started with this latest rootkit thing. Just the last 20 cds (according to Sony who later changed this number to 50 different titles) and Sony who has admitted no wrong has been rewriting their corporate EULA on their offical web site more often than you can keep up with. Only the fact that copies have been made of the EULA before the changes exist to show those changes.
What is even more disturbing is evidence has show up that Department of Defense computers are infected with this mess. You can bet Homeland Security isn’t happy about that either. Were it an individual he would long ago been sitting in jail waiting either bond or trial. Why isn’t Sony being faced with these aspects already?
The only recognised player that Sony includes as the authorized player has been shown to have code that was ripped off from the LAME encoder. In violation of the LGPL license, no mention has been made, nor has any effort been made to meet the requirements of the LGPL license. For one so interested in protecting licenses, why is Sony so deeply involved in what is definately by their own standards piracy?
Why has it been so long before Microsucks came out against this rootkit with a defination to identify and remove the mess that affects its own product? More than 1/2 a million networks have been infected by this rootkit.
That’s is one huge figure, 1/2 a million, so where were the antivirus and antitrojan writers in all this. That sort of figure ranks right up there with some of the worse malwares, like the Blaster virus. So why have the likes of Symantic, Norton, and other major fighters been so mum on it or writing removers?
But hey, don’t take it from me, read about it here…
http://www.wired.com/news/privacy/0,1848,69601,00.html
November 18th, 2005 at 2:39 am
Oh I forgot, there is one other little kicker that hasn’t made the news splash yet as this mess is investigated further.
It has now turned up that parts of code from DVDJons GPL licensed VLC has also shown up in the player. Where is this mess going to end with violations that Sony feels free to borrow upon while screaming that “Pirates are stealing our stuff”?
November 18th, 2005 at 3:11 am
Hot off the press - Freedom to Tinker are now reporting that the Uninstaller for Sony-BMG’s other DRM, MediaMax, opens up huge security holes
http://www.freedom-to-tinker.com/?p=931
November 18th, 2005 at 3:22 am
Not a good day for posting, I keep forgetting links. Here is the one to the vlc infringement…
Two new F4I license infringements found
http://www.the-interweb.com/serendipity/index.php?/archives/20051117.html
November 18th, 2005 at 4:36 am
It gets worse. Check out this story about what their camera’s do.
http://www.bbspot.com/News/2005/11/sony_photo_sharing.html
Also this guy has some interesting points about the whole saga.
http://www.wired.com/news/privacy/0,1848,69601,00.html?tw=rss.TOP
(you might need to copy paste this url)
It does give a good reason why MS doesn’t drop on Sony about all this. They’ve essentially given bigbiz permission to screw you.
November 18th, 2005 at 4:46 am
Very easy for the consumer DRM = Dangerous Rootkit Malware
Sony’s nightmare seems to get worse daily.
1) they infect customers computers exposing them to viruses/trojans
2) they release a flawed uninstall that increases users’ exposure
3) they are caught “spying” on customers as software sends back users listening habits
4) sony currently has no uninstall for their malware
5) sony reluctantly corrects the number of CD titles infected with XCP from 20 to 52
6) now we learn that XCP has misused open source code. In other words Sony or its vendor essentially “stole” parts of the copy protection code.
It’s pretty laughable to think that Sony is protecting anyone’s intellectual property. Instead, it is unfettered corporate greed. Hopefully, Congress with re-think DRM for upcoming movie releases given the industries behavior.
November 18th, 2005 at 5:07 am
I didn’t buy a Sony digital camera. I got a Kodak. Kodaks’ software if you use it is loaded with spyware. Needless I took it out and never reinstalled it for that reason. Wasn’t long after that I formatted and zero wrote the drive so I am sure there is nothing on the drive. Had I gotten Sony’s product I would have taken it back for a refund as soon as I found out about not being able to print or share a photo. That is part of the reason you buy a camera and if I can’t do that showing part to others, I don’t want the camera as it is defective and won’t work as I need it to work. Now that I know ahead of time, I won’t EVER buy Sony again.
November 18th, 2005 at 8:10 am
Note that 500,000 figure. It’s not for infected PCs. It’s for DNS servers that appear to have infected PCs that use them and are probably on a network behind them. So it seems likely that the number of infected PCs is at least a factor of 10 and possibly a factor of 100 higher.
November 18th, 2005 at 8:26 am
of course you can share pictures from a sony camera.
November 18th, 2005 at 8:27 am
What’s amazing is how little coverage this is getting in the mainstream news. It’s now turned up on Reuters so perhaps that will change but in the UK, the broadsheets with big business sections (like The Times) haven’t covered this story *at all*.
I’m also waiting for the google bomb. How long before typing Sony into Google takes you to a Digital Rootkit Malware explanation page.
November 18th, 2005 at 8:44 am
I thought it was a spoof when I read it. I have however since then ran up on an article over it.
November 18th, 2005 at 8:56 am
Maybe its a spoof but here is where I ran into it at tonight.
http://www.bbspot.com/News/2005/11/sony_photo_sharing.html
November 18th, 2005 at 9:34 am
jon wrote the story.
if you compare the original here, and the one you saw, you will see that the other one is almost identical to the original one that jon wrote here.
obviously, that other “news” site” also fell for it and is “reporting” it as if it were true.
IT IS A SPOOF WRITTEN BY JON!
OKAY?
November 18th, 2005 at 10:01 am
sorry, i spoke too soon.
i did think it was written by jon, but apparently jon got the story from that BBSpot page, as there is a link in the p2pnet article pointing to it.
however, it is still a spoof.
November 18th, 2005 at 10:11 am
*grins* It’s ok catflap. Not really important other than it still doesn’t change the feeling I have about Sony. I went from thinking their electronic were fairly good to now I wouldn’t have them anymore. They will lose a boat load over that as I have had a bunch of high end stuff from them. Shoot the head unit setup for the last good car stereo I had was a $1000 bucks for the three piece head unit alone. We won’t talk the cost of the big screen I had or any of the other stuff.
Right now, I wouldn’t buy a HDTV from any of the makers. Since they haven’t gotten their stuff together on standardized format, tomorrow may well result in some change to have the broadcast flag answer to another “newer” format. In fact if they want the broadcast flag active, I am not sure I want a new tv in any form. It seems that much of the electronics are in flux, far more than in the past (or maybe I notice it more).
Anyway be that as it may, at some point in future posts (as a regular here) I might remind you of the photo spoof in posting. *grins* Oh, and I still look forward to your articles.
…and Jon, I don’t care if you wrote it or linked to it, keep up the good work. *waves bye for now*
November 18th, 2005 at 2:13 pm
“What’s amazing is how little coverage this is getting in the mainstream news. It’s now turned up on Reuters so perhaps that will change but in the UK, the broadsheets with big business sections (like The Times) haven’t covered this story *at all*. ”
They can’t.
They’re not “allowed” to.
Money talks
November 18th, 2005 at 2:31 pm
http://p2pnet.net/story/7026
anothe good one
November 19th, 2005 at 3:11 am
Are there any journalists out there reading this that are working for a major newspaper or media outlet who’d like to post anonomyously as to why this is being ignored in the press?
November 19th, 2005 at 5:31 am
Thanks Sony, people now have a legitimate reason why to download the same songs from the Internet that is on their lawfully purchased CD. If I was downloading cartel produced crap and I got a letter indicating I was going to be sued, here is what I would do:
I would make a list of each song that I was accused of downloading. I would then check my puchased music collection for any songs that were on the list. Any purchased or borrowed CD that had a listed song would then be photographed. I would then take CASH (not a check nor credit card), and I would purchase the other songs from music stores, garage sales, or I would borrow from other people. I would photograph or produce these CD’s for several witnesses to see. This would prove that I puchased every song I downloaded beforehand. I would then sign an affidavit stating that the reason why I downloaded these these songs is because I am afraid to use the ones on the CD because they might contain a rootkit. I would give this affidavit to my lawyer.
November 19th, 2005 at 9:50 am
I don’t think you should see anything sinister in that. I’m sure Sony would be prepared to subvert news, to do almost anything, but it would be told where to go.
(On the other hand, as Bruce Schneier argues at Wired, I *do* think the slow reaction of many security companies and of Microsoft is suspicious. They haven’t protected their own customers: they have had an “industry versus the customers mentality”.)
The story has run in the print media here in the UK. See, for example:
http://business.timesonline.co.uk/article/0,,9075-1873580,00.html
… it just hasn’t made a big splash. However, the BBC, I was pleased to see, has actually run several items in its Technology News Section:
http://news.bbc.co.uk/1/hi/technology/default.stm
And, in fact, I think you should see a clue in that. The BBC, because of its anomolous and anachronistic funding-model, can afford to have full-time tech journalists on the staff. I doubt many news outlets can. The largest-selling broadsheet newspaper over here - The Daily Telegraph - actually laid off the guy who did its weekly computer-help column, although I just checked, and he seems to be back now.
More generally, I think almost all tech/online news is only of the edge of the horizon for most mainstream news organizations.
Consequently, what you have on this, as on most other tech news, is patchy and sporadic press coverage. Thank goodness for the blogosphere, eh? I think you’ll find that most media outlets have recycled Reuters’ stuff on this. And when they do write material themselves, they get it wrong. USA Today, I learnt on the tWiT podcast, referred to Sony’s “virus”. Hardly accurate (as the malware doesn’t self-replicate) but serve Sony right to get the v-word.
That reminds me of Patience Wheatcroft, the (London) Times’s business editor who in her write-up of the Microsoft US DOJ trial said that Microsoft had been accused of integrating Internet Explorer into Word. Probably, to such a person, a computer *means* “Microsoft Word”. How can such people be expected to understand what the case was about?
I expect this story still has legs. And, if it goes to court, it will certainly get coverage in the mainstream press, although I’d expect many articles to be less than well-informed.