Look out, an explosion coming in the world of computer security...

[mtnbkr]

You must understand how Linux works

I do, having installed several systems for both business and private use...

If you install it properly and give your users non-root accounts, what you say is true.  However, if it becomes popular enough to end up on granny's computer, you can bet the standard installation will give the primary user full access (just like with Windows 2k and XP).  Most users don't understand the concept of "user" and "root/admin", they will demand full control from a single user account as they are accustomed to having today.  When that happens, you'll have the same problems with Linux you now have with Windows.

The system isn't the problem, the users and their expectations are.  Had Windows started out with user accounts and gotten people conditioned to using a special account for system work, we probably wouldn't have the problems we have today.

Chris

[Zundfolge]

However, if it becomes popular enough to end up on granny's computer, you can bet the standard installation will give the primary user full access (just like with Windows 2k and XP).

This is the main reason why many newer Linux distros have done away with the root account (or at least its not set up in the default install). This requires people to sudo to perform root functions.

The same thing goes for MacOSX (which is really the first widely used desktop *nix).

...they will demand full control from a single user account as they are accustomed to having today.

Hasn't happened with MacOSX ... and all the more user friendly "desktop" distros of Linux I've run have all been set up this way (Mandrake, Ubuntu, Linspire, etc)

But yes, you are correct, if a Linux machine is not set up smartly it can easily be infected with this thing ... big difference is that it'll be cake to get rid of (worse case scenario you delete the user account and home folder of whomever installed it) whereas Windows (with its evil Registry) will be much harder to remove this kind of crap.

[jefnvk]

You can NOT install ANY software without the user being aware of it, because in order to install a piece of software the user must manualy enter their password.

No, I am completely aware of how Linux works.  I am also completely aware of how stupid people are.

Most people will click 'OK' on whatever boxes pop up.

Linux will not get far into the mainstream computing requiring people to 'sudo' everything.

If it ever does go mainstream, it will be ebcause people have the right to install stuff, even if they have no concept of root or admin accounts.
The thing is, people want to be able to download and install whatever the email of the day tells them is the newest and bestest thing to have on your computer.  They want to do everything easily.

[Justin]

Then they get what they deserve.

At least with LINUX it would appear that those who put some forethought into it will actually have a choice in the matter.

[Zundfolge]

Linux will not get far into the mainstream computing requiring people to 'sudo' everything.

Tell that to all the Linux developers who are releasing "distros for the masses" right now, and tell that to Apple (who have had a ton more people "switch" since they went Unix).

[Preacherman]

Interesting comments from the BBC on the impact of Sony's copy-protection mindset (http://news.bbc.co.uk/2/hi/technology/4406178.stm):

Last Updated: Friday, 4 November 2005, 11:35 GMT

The rootkit of all evil?

Sony is in trouble but we might be the ones who lose out in the end, says technology commentator Bill Thompson.

Sony BMG, the record company part of the multinational corporation that makes laptops, TVs, movies and many other things, is in trouble this week thanks to a copy protection scheme it has used on a number of its CDs.

The software, called Extended Copy Protection or XCP, hides itself on your hard drive using techniques normally reserved for viruses, worms and trojans, which use similar "rootkits" to evade detection.

And if you notice it is there and try to remove it you may stop your computer recognising its CD drive.

This is because the cloaking techniques involve making changes to the Windows registry, altering the way device drivers work and generally messing with your installation.

XCP was developed by a UK company called First 4 Internet, and Sony says that it has been using it for months.

It is one of many competing techniques used by record companies to try to stop people making copies of music files from CD as they fear that their customers will then make the music available online without permission.

The existence of the hidden files was noticed by Windows expert Mark Russinovich.

He was scanning his system for security breaches when he noticed something odd going on, and he quickly realised that the suspicious software had been installed when he first listened to the album Get Right With the Man by country rockers Van Zant.

The point of the exercise is to force you to use the supplied music player software if you want to listen to the songs on the album. And, as you would expect, it also limits your ability to copy the music files to your hard drive or MP3 player.

A spokesman for Sony BMG said the licence agreement on the CDs were explicit about what was being installed and how to go about removing it. It referred technical questions to First 4 Internet.

Of course, like so many other companies, Sony's super copy protection only applies to people using Windows PCs.

If you have got a Mac or a Linux box then you can play and even copy you disc happily, because the real WAV files that a CD player uses are there on the disc.

If I was a PC user faced with a disc that insisted on using some non-standard player to let me listen to the music I had just paid for I would have no compunction at all about heading off to the nearest peer-to-peer site to download clean, high-quality copies of the songs I wanted.

Or just asking a Mac-using friend to rip them into my music library.

Of course I would keep the disc, because this is not about getting music for free and depriving artists of their income. It is about letting record companies know that we have reasonable expectations for what we can do with the music we buy and we will not put up with their games.

Fortunately, it is possible to avoid buying discs like this. Philips, who defined the CD standard and then made it widely available, has been very clear that these music delivery systems do not count as Compact Discs and cannot use the CD logo.

As far back as 2002, Philips representative Klaus Petri told Financial Times Deutschland that "those are silver discs with music data that resemble CDs, but aren't".

And online retailers like Amazon will tell you that what you are buying is a copy-protected data disc that may, just may, play properly in your CD player but will not work as expected on your computer.

What Sony has done is stupid, but I am willing to accept that they did not really understand what they were getting into.

In fact, I would be surprised if anyone at a senior level in Sony's record division even knows what "cloaking" is or has heard the word 'rootkit' before they hit the blogosphere.

The executives who signed up to use the Force 4 Internet software probably did not realise that they were unleashing a public relations disaster of biblical proportions, but my pity will not help them.

They have just released a program that will make the files visible, though it still leaves the player software on your system, and First 4 Internet say they have stopped using these techniques. But there is already talk of a consumer boycott, not only of copy-protected discs but of all Sony BMG discs.

Five years ago this would not have mattered, but there are enough net users and enough blog readers out there to make a difference. After all, if you are thinking of buying a Van Zant album today and type "van zant cd" into Google, guess what you will find on the first page of hits?

It would be nice to think that the furore over the choice of copy protection system will change the way Sony and other record companies think about their customers, and that they might start treating us as honest fans who will behave fairly if we are offered a good product at a decent price.

But I fear that they are far more likely to look at the way that Microsoft has cosied up to the Hollywood studios in designing Vista, the new version of Windows, and ask for similar privileges.

Microsoft has told technology companies that if they want to develop system-level software that lets Vista play movies then they have to get the approval of at least three of the major studios before it will be included in Windows.

I suspect that Sony would be very interested indeed in a version of Windows that controlled music playback without the need for any extra software from them.

And I fear that the fuss over XCP will prompt them to get in touch with their friends at Microsoft, and then all Windows users will find that they lose the ability to copy music CDs.

Mac users out there cannot look smug about this, since once Apple move to the Intel chipset for the Mac they have said they are going to start using trusted computing features in the hardware that will allow them to exert similar levels of control within Mac OS.

And of course once there is a "technological protection mechanism" in place then it is against the law - both in Europe and the US - to get round it, so open source players for Linux platforms will be illegal. All in all, it is not looking good for those of us who like to buy and listen to music.

[garrettwc]

Latest update:

Sonys Player Phones Home

It's getting worse.

[Felonious Monk/Fignozzle]

...besides Van Zant's disc, are there other titles they've found with this lovely piece of malware as added value?

[garrettwc]

...besides Van Zant's disc, are there other titles they've found with this lovely piece of malware as added value?

Sony didn't name names, but in the original link that Jim March posted they referenced somewhere between 20-50 other CDs that they had used this on IIRC.

[matis]

Here's (more) info on viruses designed to exploit Sony's rootkit.  More viruses, I'm sure, to come.

I think Sony will feel this backlash on their bottom line.

I have already told at least a dozen people.  All responded by saying they will suspend buying Sony CDs.  If this is typical then Sony will lose sales across their CD line.

They deserve it.  The only pain a corporation can feel is financial.  In that case, I'm a sadist.



matis







   
Viruses Exploit Sony CD Copy-Protection
Nov 10 5:08 PM US/Eastern
Email this story    

By MATTHEW FORDAHL
AP Technology Writer

SAN JOSE, Calif.

A controversial copy-protection program that automatically installs when some Sony BMG audio CDs are played on personal computers is now being targeted by malicious software that exploits the antipiracy technology's ability to hide files.

The Trojan horse programs _ three have so far been identified by anti- virus companies _ are named so as to trigger the cloaking feature of Sony's XCP2 antipiracy technology, security experts said Thursday.

"This could be the advanced guard," said Graham Cluley, senior technology consultant at the security firm Sophos. "We wouldn't be surprised at all if we saw more malware that exploits what Sony has introduced."

The copy protection program is included on about 20 popular music titles, including releases by Van Zant and The Bad Plus, and disclosure of its existence has raised the ire of many in the computing community, who consider it to constitute spyware.

Sony BMG Music Entertainment and the company that developed the software, First 4 Internet, have claimed that the technology poses no security threat. Still, Sony posted a patch last week that uncloaks files hidden by the software.

On Thursday, Sony released a statement "deeply regretting any disruption that this may have caused." It also said it was working with Symantec and other firms to ensure any content-protection technology "continues to be safe."

Neither Sony spokesman John McKay nor First 4 Internet CEO Mathew Gilliat-Smith returned messages seeking additional comment.

Windows expert Mark Russinovich discovered the hidden copy-protection technology on Oct. 31 and posted his findings on his Web log. He noted that the license agreement that pops up said a small program would be installed, but it did not specify it would be hidden.

Manual attempts to remove the software can disable the PC's CD drive. Sony offers an uninstallation program, but consumers must request it by filling out two forms on the Internet.

"What they did was not intentionally malicious," Cluley said. "If anything, it was slightly inept."

The copy-protection software, which Sony says is a necessary "speed bump" to limit how many times a CD is copied, only works on Windows- based PCs. Users of Macintosh and Linux computers are not restricted.

The viruses also only target Windows-based machines.

The infection opens up a backdoor, which could be used to steal personal information, launch attacks on other computers and send spam, antivirus companies said.

Sony also is facing legal headaches. On Nov. 1, Alexander Guevara filed suit in Los Angeles County Superior Court seeking class action staus. He claims Sony's actions constituted fraud, false advertising, trespass and violated state and federal laws barring malware and computer tampering.

His attorney, Alan Himmelfarb, did not immediately return calls seeking comment.

"Entertainment companies often complain that fans refuse to respect their intellectual property rights. Yet tools like this refuse to respect our own personal property rights," said Jason Schultz, a staff attorney for the Electronic Freedom Foundation. "Sony's tactics here are hypocritical, in addition to being a security threat."

Copyright 2005 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

[Felonious Monk/Fignozzle]

It's heatin' up, boys & girls...

 California Class Action Suit Sony Over Rootkit DRM
http://yro.slashdot.org/article.pl?sid=05/11/10/0024259&from=rss

First Trojans in the wild exploiting Sony's DRM Rootkit:
http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/

[Preacherman]

Another article on lawsuits, and on viruses being written to exploit Sony's rootkit:  http://www.cnet.com/4520-6033_1-6376177.html

DRM this, Sony!

By Molly Wood, section editor, CNET.com

Thursday, November 3, 2005

Updated November 10, 2005

I hope this is the week that everyone in the world finds out what a root kit is. And I hope it's a week we look back on in amazement, as we consider just how far Sony was willing to go to criminalize consumers in its efforts to preserve control over its product. Because I believe this is the week that Sony effectively declared war on the consumer, announcing what most of us had already suspected: fair use is a joke in the movie and record industry, and the companies who control mass-market content will truly stop at nothing to protect their profits.

We're not gonna take it

But let me start at the beginning. On Monday, October 31, alert users discovered that Sony BMG is using copy-protected CDs to surreptitiously install its digital rights management technology onto PCs. You don't have to be ripping the CD, either--just playing it from your CD-ROM drive triggers the installation. The software installs itself as a root kit, which is a set of tools commonly used to make certain files and processes undetectable, and they're the favored tool of crackers who are, as Wikipedia puts it, attempting to "maintain access to a system for malicious purposes." In fact, root kits are often classified alongside Trojan horses. And Mark Russinovich, who created a root-kit detection utility and was one of the first to blog about the Sony intrusion, discovered another little gem when he tried to remove the DRM drivers. It broke his computer--disabling his CD drive.

So, let's make this a bit more explicit. You buy a CD. You put the CD into your PC in order to enjoy your music. Sony grabs this opportunity to sneak into your house like a virus and set up camp, and it leaves the backdoor open so that Sony or any other enterprising intruder can follow and have the run of the place. If you try to kick Sony out, it trashes the place.

And what does this software do once it's on your PC? It enacts unbelievably restrictive DRM, including possible incompatibility with computer CD-ROM players, DVD players, and car CD stereos. And in a deep-dive into the Sony end-user license agreement, the Electronic Frontier Foundation found some astonishing fine print. For example, if you lose the original CD or it's stolen, you lose the right to any digital copies you've made. You can't keep your music on computers at work. You must delete your songs if you move out of the country or if you file for bankruptcy. The list goes on and on. As for the artists whose names have been sullied by their association with the root kit, it seems that at least some of them didn't give permission to Sony to use the backdoor DRM technology and want no part of it.

Happily, and despite the use of scary words like root kit, this story hit the Web in a big way. The PR for Sony is, shall we say, not good. On Wednesday, November 2, Sony had announced that it would, in conjunction with the company that developed the root-kit plan in the first place (First4Internet) release a patch to antivirus companies so that hackers wouldn't, hopefully, be able to take advantage of the backdoor they just opened on your property. But the patch only reveals the the antipiracy software, it doesn't uninstall it. And of course, it leaves the insanely draconian copy protection cheerily intact. If you want to remove the software, you must beg Sony for an uninstall link. CNET's Brian Cooley reports that he received the link via e-mail, but that running the uninstall gave him an error. Visiting the support site to request help with the error, Cooley was sent to a form whose first field asks which country you're from. Neither USA nor North America are options. That's not trying very hard to fix the problem.

Actually, Sony's response to the mess it caused is almost as bad as the mess itself. The company continued to insist, despite growing evidence to the contrary, that its components weren't harmful in the first place. And in fact, the president of Sony BMG's global digital business division, Thomas Hesse, told National Public Radio that most people don't know what a rootkit is, so they shouldn't care that it had been secretly installed on their PCs. Mr. Hesse, they care. And they should start caring a whole lot more--on November 10, BitDefender uncovered the first Trojan horse (but possibly not the last) that takes advantage of the upatched DRM technology to open a backdoor on a Windows PC. So, if you're the recipient of the rootkit and you haven't yet received a patch, Sony has officially endangered your PC.

No, we ain't gonna take it

This is an unacceptable development in digital rights enforcement. I don't know how to put this any more clearly. Don't get me wrong--we've long since crossed the line of DRM insanity. But this--using the tactics of criminals to invade our PCs without our knowledge and to expose us to further attack, just so you can keep us from, say, burning a mix CD and giving it to our friends--this is beyond the pale.

And as many news sources are beginning to point out, there's some reason to think it might also be illegal, under the U.S. Computer Fraud and Abuse Act. As of this writing, two class-action suits had been filed against Sony BMG over the root kit--one in Italy, and one in California. I'm quite sure that won't be the end of it.

We're not gonna take it...anymore

Companies: You will never get the increasingly technology-aware, mass media-consuming populace to support your right to copy protection or digital rights management unless they are on your side. And because we are increasingly technology aware, your ever-increasing assault on not only our fair use but also our common sense will virtually guarantee that we use our God-given ingenuity to find a way around whatever bizarre restrictions you see fit to impose. Why? Not because we're dying to break the law, but because you have sold us a crappy product, and, fundamentally, because it is not our responsibility to protect your profits.

What's the solution? In the near term, for us, it's not to buy any Sony CDs, and maybe not any Sony anything. In the longer term, it's to start agitating for a rewrite of copyright law in the manner so eloquently suggested recently by Walt Mossberg of the Wall Street Journal. He suggests copyright law with actual teeth that can chomp on massive-scale piracy, but with broad exemptions for personal use, because excessive DRM is hampering innovation and alienating consumers. I couldn't put it any better. And companies? Sony? Are you really going to tell us that overhauling these outmoded rules is harder and more destructive than suing retirees over honest mistakes made by their 12-year-old grandsons? This is the path you're going to choose?

I'm truly sorry that there are, out there in the world, mass-production piracy operations that are digging into your bottom line, but you know what? I'm not one of them. Neither are most of the people who will be laboring under the nasty little flags, Trojan horses, and FairPlay/Plays For Sure doublespeak that you see fit to slap on the stuff we legitimately purchased.

And you know who's not going to labor under those restrictions? You know who's not even going to notice? The mass-production piracy operations, that's who. You know it, and I know it. So why are you engaged in this nickel-and-dime, small-time thrust-and-parry with me and my friends? Trust me, you're not going to make back the money by dropping viruses onto my PC, because my almighty dollar and I are going elsewhere--and you're probably not going to like where I end up.

Technology will march on. Technology is the reason we're in this fix in the first place, and technology will keep on giving us solutions to whatever irritating, invasive, and potentially illegal roadblocks you keep throwing in our path. And damned if we and our almighty dollars, no matter how long it takes, don't eventually win these little wars.

[garrettwc]

The genie is out of the bottle and the mainstream press has a hold of it. Executives at Sony better be wearing their fireproof undies!

Microsoft has even jumped on the "Get Sony" bandwagon. Microsoft has been spending some big marketing $$ trying to convince people that XP and the upcoming Vista are stable and secure. Now thanks to Sony, another big security hole is all over the six o'clock news.

Wonder what would happen to Sony's VAIO computer sales if their next shipment of Windows CDs was "unexpectedly delayed". :/

[Zundfolge]

I hope Van Zant gets his lawsuit in too ... Sony has just screwed him hard and good and made him into a pariah.

[Gewehr98]

Getting bigger by the minute, this is from CNN tonight:

New virus uses Sony BMG software

Thursday, November 10, 2005; Posted: 5:20 p.m. EST (22:20 GMT)


AMSTERDAM, Netherlands (Reuters) -- A computer security firm said Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.

Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down a computer's firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden -- the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.

"This leaves Sony in a real tangle. It was already getting bad press about its copy-protection software, and this new hack exploit will make it even worse," said Sophos's Graham Cluley.

Later on Thursday, security software firm Symantec Corp. also discovered the first trojans to abuse the security flaw in Sony BMG's copy-protection software. A trojan is a program that appears desirable but actually contains something harmful.

Sony BMG's spokesman John McKay in New York was not immediately available to comment.

The music publishing venture of Japanese electronics conglomerate Sony Corp.and Germany's Bertelsmann AGis distributing the copy-protection software on a range of recent music compact disks (CDs) from artists such as Celine Dion and Sarah McLachlan.

When the CD is played on a Windows personal computer, the software first installs itself and then limits the usage rights of a consumer. It only allows playback with Sony software.

The software sparked a class action lawsuit against Sony in California last week, claiming that Sony has not informed consumers that it installs software directly into the "roots" of their computer systems with rootkit software, which cloaks all associated files and is dangerous to remove.

Sophos said it would have a tool to disable the copy protection software available later on Thursday.

Sony BMG made a patch available on its Web site on Tuesday that rids a PC from the "cloaking" element that is part of the copy-protection software, while claiming that "the component is not malicious and does not compromise security."

The patch does not disable the copy protection itself.

The Sony copy-protection software does not install itself on Macintosh computers or ordinary CD and DVD players.

[Preacherman]

Sony has announced that it's suspending the production of CD's using its copy-protection system.  Full details at http://news.bbc.co.uk/2/hi/technology/4430608.stm for those interested.  Also, there are now half-a-dozen lawsuits against Sony as a result of all this.  Watch for future developments...

[RadioFreeSeaLab]

Excellent.

[Preacherman]

Sony has released a list of all the CD's it sold with its copy protection technology installed.  Might be worth checking to see if you have any of these, and take precautions appropriately...  See

http://cp.sonybmg.com/xcp/english/titles.html

for the list.  Also, see this article:

http://news.bbc.co.uk/2/hi/technology/4445550.stm

for the latest developments in the story.

[Guest]

Quoting my very first post on this subject the day it hit:

-----------
This story just hit today in "geek circles".  I guarantee it'll make the national news within a week, probably less.  I also guarantee Sony will do a full recall and refund to existing customers, the British programmers who spawned this abortion are simply *dead* as a company, this is gonna be huge.
-----------

Every prediction I made has come true.  Heh.  Kewl.

In other news: you know you're screwed when MICROSOFT is calling your corporate ethics "evil" .

[Winston Smith]

pwn.

[Phantom Warrior]

My first thought was that someone figured out how to efficently factor large numbers...  

Seriously, I've been uncomfortable with this concept of media players and music companies being able to control what happens on MY computer for a long time.  This just confirms my fears.