Musiclovers beware! [UPDATED!]

[Psionicist]

Washington Post about this: http://blogs.washingtonpost.com/securityfix/2005/11/sony_raids_hack.html

 

[Bront]

This is sad. I prefer to turn my CDs into MP3s, and listen to them in a mix, or even make mix CDs for my car.

 

[Jonny Nexus]

If it only works against those trying to pirate it, I have no problems with it. However, if it harms those who play the CD on their computer and do everything completely legally, then I would have a problem with it.

If it harms only those that attempt to misuse the CD illegally, then good for Sony. Screwing up their computers will teach most people a lesson, I hope, except for those determined to bypass the security measures, which someone undoubtedly will. Then Sony will create another way to protect their stuff, etc.

Well there's a comment on John Dvorak's blog which explains why people are getting so angry:

It’s a mess. Even if Sony desists from this appalling behavior now, there are already likely thousands of infected computers out there. And there are thousands of these Trojanized CDs that unsuspecting members of the public have already bought.

Mark Russinovich found the software was very badly written. Just think of all the problems it might cause: there are already reports of it causing blue screen of death on bootup for some people, and F-secure says it will “break the Vista beta spectacularly”. So anyone who’s using that stands to damage their OS and lose their data.

Added to all this, every script kiddy out there can now exploit the hole Sony has opened for them. It’s a timebomb. The government department responsible for trading standards now has a duty to see these CDs are removed from the shelves in all stores before any more people are infected.

I’m boycotting all Sony products now. I wrote them and told them I had, too.

http://www.sonymusic.com/about/feedback.cgi

Comment by Damian — 11/3/2005 @ 1:30 pm​

Now I have no way of knowing if what he is saying is true, but it's his opinion that when the CD installs its program at root level, it opens up a security hole that virus writers or hackers could use. That may be bollocks, but certainly people have no business installing such low-level software without the user's permission.

 

[Jonny Nexus]

OTOH, if anyone would want to bust Sony's chops, it should be MICROSOFT! Something that runs in safe mode, bypassing its purpose? They ought to be trying to sue on the basis of maliciously altering their code, because the number of tech support calls that would be forcibly escalated by a defective driver, thereby tying up their techs, would have an enormous cost to them associated.

Well the counter-argument to that is that Microsoft are at fault for writing their operating system (Windows) in such a way that an application can install itself at such a low-level without the user having to ask permission.

With other operating systems (such as Linux or Mac OS X) a little box pops up when an application tries to do something like that, asking you to enter your admin password - because the application needs admin level privileges to perform the action, and by default, apps don't have that.

(This is an example of what people mean when they say that Windows is inherently insecure. By default, all Windows functions are open to all apps, and they then attempt to use clever coding to block all ways in which app could do something bad. So they only have to make one mistake and they've opened up a security vulnerability. Other OSs start from the point of view of saying everything is closed by default, and then only opening up those functions that they figure an application needs.)

It's like if I found out that my car doors could be unlocked with a coat hanger. It wouldn't be that my car's manufacturer would sue the coat hanger manufacturer. It would be that I would sue the car manufacturer.

 

[IronWolf]

Well the counter-argument to that is that Microsoft are at fault for writing their operating system (Windows) in such a way that an application can install itself at such a low-level without the user having to ask permission.

Unix based systems have had root kits for some time and they aren't asking permission to be installed.

 

[Vraille Darkfang]

Saw something on the news last night.

Now that people KNOW what Sony is doing, they have decided to back-pedal.

As all this does is tick off legitimate consumers & make it take 2 or three more hours (and maybe a special program) for hacker to rip it off. (In fact, hackers are already taking this as a personal 'quest' & are busy copying Sony DRM Discs, BECAUSE THEY CAN).

So, now Sony (& whatever company developed the software) is going to provide a patch to allow you to "See" the copy protection so you can easily remove it.

Again, it'll still require some technical knowledge to do so, but not level previously required.

So, let's keep complaining & maybe they'll drop it all together.

Esp seeing as how it took 2 weeks for Pirates to defeat it & forever for legitimate users to clean up their computer.

 

[Darkness]

Added to all this, every script kiddy out there can now exploit the hole Sony has opened for them. It’s a timebomb.

Indeed. Apparently, some people are already making use of it to cheat in World of Warcraft:

From SecurityFocus:

World of Warcraft hackers using Sony BMG rootkit
Robert Lemos 2005-11-03

Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles.

Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix "$sys$" to file names.

Despite making a patch available on Wednesday to consumers to amend its copy protection software's behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible.

 

[Bront]

Well there's a comment on John Dvorak's blog which explains why people are getting so angry:

It’s a mess. Even if Sony desists from this appalling behavior now, there are already likely thousands of infected computers out there. And there are thousands of these Trojanized CDs that unsuspecting members of the public have already bought.

Mark Russinovich found the software was very badly written. Just think of all the problems it might cause: there are already reports of it causing blue screen of death on bootup for some people, and F-secure says it will “break the Vista beta spectacularly”. So anyone who’s using that stands to damage their OS and lose their data.

Added to all this, every script kiddy out there can now exploit the hole Sony has opened for them. It’s a timebomb. The government department responsible for trading standards now has a duty to see these CDs are removed from the shelves in all stores before any more people are infected.

I’m boycotting all Sony products now. I wrote them and told them I had, too.

http://www.sonymusic.com/about/feedback.cgi

Comment by Damian — 11/3/2005 @ 1:30 pm​

Now I have no way of knowing if what he is saying is true, but it's his opinion that when the CD installs its program at root level, it opens up a security hole that virus writers or hackers could use. That may be bollocks, but certainly people have no business installing such low-level software without the user's permission.

Everything he said is perfectly true. Allowing files that other programs can't see to exist on a computer causes a problem with viruses.

A good example: There is a virus that hid in the Fonts directory, where, unless you're using the command prompt, you can't find the files. They will not show up in Windows explorer, and there is nothing you can do to make them. Some anti-virus programs used to miss them because of this.

 

[RedWick]

Indeed. Apparently, some people are already making use of it to cheat in World of Warcraft:

So wait? Sony, the makers of EQ and EQ2, developed and released a program which allows easier hacking on one of their rival's games?

 

[jaerdaph]

Sony issues fix for hidden rootkits