Posted on 11/17/2005 6:09:52 AM PST by ShadowAce
When the news first broke in the mainstream press that Windows expert and blogger Mark Russinovich (he wrote a book about Windows for Microsoft) had found that Sony's anti-piracy efforts had gone too far and that Sony's DRM was installing an undetectable rootkit on customers' computers which they couldn't safely remove, the first reaction from Microsoft was guarded. They were concerned, they said, and were evaluating what, if anything, to do:
Microsoft, which also ships an anti-spyware program, recently renamed "Windows Defender," hasn't yet decided whether it will also flag the Sony DRM software as malicious code, the spokesperson said."Microsoft's Windows Defender and the Malicious Software Removal Tool [MSRT] have established objective criteria to determine what code will be classified for removal. We are evaluating the current situation to determine if any action from Microsoft is necessary," the spokesperson wrote in an e-mail statement.
Computer Associates and Symantec had already announced they would add detection of the Sony rootkit to their security software, but Microsoft needed time to think. Now, they've decided to zap the rootkit also:
The software giant's Windows AntiSpyware application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology. . . .Detection and removal of the XCP rootkit will also appear in Windows Defender, the next version of Windows AntiSpyware when that makeover ships.
Meanwhile, antivirus firms are already warning about a new trojan in the wild taking advantage of the rootkit. This story raisess some questions. These CDs with rootkits have been sold for 8 months. Where was Microsoft? Why didn't they and antivirus companies notice this rootkit themselves long ago?
When the story first hit, here's the explanation given by First 4 Internet, the company that wrote the rootkit for Sony:
The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said.
So, Symantec and "the big antivirus companies" already knew about the rootkit? According to this statement, it seems they did. Are they then liable as well as Sony?
Groklaw member alangmead asked another valid question in a comment to an earlier article: Does that mean that Microsoft knew also and was complicit, deliberately ignoring the rootkit? Alternatively, if not, might one not legitimately ask if Microsoft's anti-spyware is "sophisticated enough to detect the system changes" made by Sony's DRM? Which explanation is worse?
I can't help but wonder about a third possibility. Charlie Demerjian recently wrote about what he views as the new Microsoft PR technique. He says because Microsoft lacks credibility, they don't put out press releases on certain stories. Instead they leak it to the press or to blogs. I'll let him describe it for you:
MS has taken to 'slips', 'admissions' and 'leaks' in ways that it 'really should not have' done. The reporter pounces, and the Microsoft spokesperson gets all defensive and asks that it not be published, blah blah blah. Memos leaked to the right people have a similar effect, as do blog entries as a first line of press knowledge. Few things work better than a grass roots spreading of 'facts' that the mainstream press 'notices'.Few PR efforts or change of direction come in press releases any more, they all come from blogs and leaked memos. The people who pick the stories up and grassroots spread them tend not to mock as much as the real press. Those that do can be easily laughed off by real PR as the lunatic fringe. Basically, Microsoft is using the boggosphere to do its PR for them, and we are supposed to be the pawns.
Is that what happened here? I have no idea, but I know it's the right question. I'm not in love with Sony at the moment, but fair is fair.
I thought it was important to mention all this, because of the litigation. Just how deep does this betrayal of customers go? F-Secure, who was not part of the complicit agreement apparently and discovered the rootkit independently, according to Russinovich, explained on November 4 on their blog why rootkits are a security problem:
A member of our IT security team pointed out quite chilling thought about what might happen if record companies continue adding rootkit based copy protection into their CDs.
In order to hide from the system a rootkit must interface with the OS on very low level and in those areas theres no room for error.
It is hard enough to program something on that level, without having to worry about any other programs trying to do something with same parts of the OS.
Thus if there would be two DRM rootkits on the same system trying to hook same APIs, the results would be highly unpredictable. Or actually, a system crash is quite predictable result in such situation.
So imagine a situation where Joe Customer buys CD from label A and another CD from label B. Label A uses third party DRM from company X and Label B uses from company Y.
Then our user first plays one of the CDs in his PC, and everything works fine. But after he starts playing the second CD, his computer crashes and wont boot again. This is something I would not like to associate with buying legal CDs.
The Department of Homeland Security agrees. This IP protection is now threatening our security. How did everyone lose their sense of proportion? I earlier put a link to the audio of Stewart Baker, Department of Homeland Security Assistant Secretary for Policy, in News Picks, but what he said is so important, I wish to repeat it here:
"It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."If we have an avian flu outbreak here and it is even half as bad as the 1918 flu, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is going to be a matter of life and death and we take it very seriously as well." - DHS Ass't Sec'y on Policy Stewart Baker
Copyright infringement is important to companies like Sony, of course, but if, when enforcing their rights, they end up exceeding their actual rights and endanger our lives in their quest to protect mere money, something is seriously out of balance. I also most sincerely hope that the DHS realizes the security value of the GNU/Linux operating system, as well as MacOSX. If the Department is relying exclusively on Windows, I am frankly terrified.
By the way, if you'd like to hear the immortal words from First 4 Internet about rootkits and how customers don't know what they are and so needn't care about them, here you go. Your choices to listen to the audio are Windows Media Player or RealPlayer. Is it time, folks, for websites to broaden the choices they offer people? Some of us are afraid to use Windows, you know.
And for any of you who are staring at your Windows computer and wondering just how bad it is in your personal case, may I encourage you to think about GNU/Linux systems as a remedy? It's one advantage of FOSS software that there is no code you are not allowed to examine. That's part of what the Free means in Free Sofware and the Open in Open Source, that you are free to look at the code and are free from secret corporate dirty tricks and private gentlemen's agreements that put your security at risk.
work now, read later
I have a question...I use Symantec's Internet Security Spyware Edition. Is that as sufficient as Microsoft's removal tool?
How is this helping the artists?? And what is the law about me buying a CD and burning a copy for my Husband to use at work? He's a contractor and wouldn't want to take anything but a burned copy to a jobsite.
The Sony debacle is worse than the one by Intuit in their TurboTax a couple of years ago. Intuit implanted a tiny file on the boot sector of the hard drive, and the only way to remove it was to completely reformat the drive. They lost me as a customer after over 10 years of continuous business, simply because of their attitude toward honest, paying consumers.
I honestly don't know. I use AVG as my anti-virus for those times I am forced to be on a Windows machine.
Same here. I use TaxCut now.
I believe that "fair use" laws allow that, as long as it is for personal use only (like you described).
Sony has ever right to protect its products.
"I understand that there are probably a few people here who refuse to believe anything PJ says, but please--refute her on the facts rather than using any ad hominem attacks."
I believe that in this article she's the one doing the attacking with little by the way of facts.
First 4 Internet is responsible for the software they write.
It's doubtful that First 4 Internet revealed much of their copy protection software to anyone without NDAs in place. The DMCA also makes it legally difficult to go public about flaws in copy protection schemes.
At worst Microsoft or Symantec didn't rigorously test someone else's product. It's not Symantec's fault that First 4 Internet created a product with incredibly huge security holes, unless they were being paid as consultants to investigate such issues for First 4 Internet.
It's First 4 Internet that did a horrible job on their product, and it's they that should pay the price.
It appears that they are trying to spread the blame to avoid full accountability.
It appears that PJ is looking to try spread the blame onto others as well without any facts justifying it.
Understood. However, during that initial software review by MS, shouldn't MS have denied access to the low-level APIs for this purpose? With that one action, MS could have headed this off before it ever became an issue. With a refusal by First 4 Internet to play along, MS could have gone ahead and warned the public about it, or at least incorporated this rootkit into their Windows Defender software.
It's First 4 Internet that did a horrible job on their product, and it's they that should pay the price.
Agreed. 100%.
It appears that they are trying to spread the blame to avoid full accountability.
There may be blame here to go around. I'm not saying that MS is culpable in this farce, but they could have (if they knew about it) incorporated the detection for this into their own product.
You are absolutely correct. So what? Sony does NOT have every right to protect its products in every possible way. The point is that the method they used crossed the line between what is acceptable and what many think is unacceptable.
Sony has ever right to protect its products.
What MS is doing is CYA. And to be honest, nobody (users and MS) expected a computer virus to come from the CD-Rom through a Music CD. A-drive yes, but not a CD-Rom drive.
This attitude has been pervasive since the virtual dawn of personal computing. Every time it causes lost customers. Sometimes a company literally goes under and then blame their customers for not embracing the company in light of its hostile efforts.
The efforts attacking the consumer are statistic noise when it comes to the problem of piracy. These efforts will not stop the well organized illegal duplication efforts in China, for example.
How would Microsoft like it if a hardware manufacturer decided to break the XP activation requirement? That's the kind of position they've taken regarding SONY's DRM-enabled music discs.
More and more mammoth media interests have been buying off Congress to shape intellectual property law to hinder competition and narrow consumer rights. The notion that works will pass into the public domain has become all but meaningless in our life times all the while some content creation companies, such as Disney, reaped the benefit of past works which have moved into public domain.
We need to demand reform. We need a patent office with competent and qualified reviewers, skilled in the technical arts who won't be handing out patents like pez candies. We need to take back "public domain" as the founder's intentioned.
Sony has absolutely no right to implant a file on my system that causes a security compromise. They should be held legally liable for any such activity, including (but not limited to) the cost in hourly wages and/or cost of having a professional IT person remove it from my computer.
This is a classic lawsuit just waiting to happen.
How can you take Sony's action and turn it into a "blame Microsoft" situation? Sony is the culprit here, Microsoft is merely taking action to protect their own customers through the removal procedure.
The fact that the code was "cloaked" makes it damn certain that they knew that what they were doing was wrong; I believe the legal term is "evidence of concioussness of guilt", or something like that.
What Sony did is a felony in many countries, including the US.
This is going to be *very* interesting as it plays out, and I predict that it is NOT going to go away quietly.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.