-
November 17th, 2005, 03:30 PM
#11
Hey Hey,
For those of you that haven't seen this yet... since it's related to this thread... Here's what US-CERT had to say
US-CERT is aware of several vulnerabilities regarding the XCP Digital Rights Management (DRM) software by First 4 Internet, which is distributed by some Sony BMG audio CDs. The XCP copy protection software uses "rootkit" technology to hide certain files from the user. This technique can pose a security threat, as malware can take advantage of the ability to hide files. We are aware of malware that is currently using this technique to hide.
One of the uninstallation options provided by Sony also introduces vulnerabilities to a system. Upon submitting a request to uninstall the DRM software, the user will receive via email a link to a Sony BMG web page. This page will attempt to install an ActiveX control when it is displayed in Internet Explorer. This ActiveX control is marked "Safe for scripting," which means that any web page can utilize the control and its methods. Some of the methods provided by this control are dangerous, as they may allow an attacker to download and execute arbitrary code.
More information about this vulnerability can be found in the following US-CERT Vulnerability Note:
VU#312073 - First 4 Internet XCP "Software Updater Control" ActiveX control incorrectly marked "safe for scripting"
US-CERT recommends the following ways to help prevent the installation of this type of rootkit:
Do not run your system with administrative privileges. Without administrative privileges, the XCP DRM software will not install.
Use caution when installing software. Do not install software from sources that you do not expect to contain software, such as an audio CD.
Read the EULA (End User License Agreement) if you do decide to install software. This document can contain information about what the software may do.
There are several links at the bottom of the KB article in reference to it (including the freedom-to-tinker link).... Also this points out that it's important to note that Sony only distributed the software... While there are still problems with that... this is First4Internet's software....
Peace,
HT
-
November 17th, 2005, 04:16 PM
#12
it's important to note that Sony only distributed the software... While there are still problems with that... this is First4Internet's software
Hmmmm..... That's a lot like saying that the virus writer only distributed the software... This is Microsoft's flaw it exploits......
Sony purchased the software knowing what it does and how it works and distributed it to unsuspecting customers without regard for potential harm to them in order to protect their profit.
That's plain wrong..... Sony aren't stupid, they knew what they were doing......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 17th, 2005, 04:29 PM
#13
Sony aren't stupid, they knew what they were doing..
Take a look below. I'm not sure they new exactly what they were doing?
http://www.antionline.com/showthread...r=3#post872566
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
November 17th, 2005, 04:50 PM
#14
Jinx:
By that reasoning I can purchase a nuclear weapon and think to myself "What happens if I press this button marked 'Remote Detonation'?"
Since I didn't know the consequences am I not able to be held responsible? Sorry, but that's rubbish.... Sony wanted to acheive a goal. It was their responsibility to ask the appropriate questions regarding the 'hows and whys" prior to purchase. They can't claim ignorance - they have more than enough technically savvy staff - hell, they make computers.....
They did an "I'm all right Jack" and it bit them in the ass. It was corporate negligence and should be punished appropriately.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 17th, 2005, 05:10 PM
#15
Tiger,
Don't miss understand me, Sony should be stamped on, and hard. My last post was not to excuse Sonys actions. More to highlight thier stupidity.
Personaly, I think the company are criminaly negligant.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
November 17th, 2005, 05:12 PM
#16
More to highlight thier stupidity
I'm down with that....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 17th, 2005, 05:23 PM
#17
'Most people don't even know what a rootkit is so why should they care about it?' says a SonyBMG executive
A senior SonyBMG executive has hit back at the criticism surrounding the company's use of a digital rights management (DRM) technology on a music CD.
Thomas Hesse, the president of SonyBMG's global digital business division, said in a radio interview last week that its use of rootkits is not an issue to the everyday user."Most people don't even know what a rootkit is, so why should they care about it?" he said in the interview with radio company NPR.
The copy-restriction software is hidden so that music pirates cannot find and remove it, according to Hesse. "This is purely about restricting the ability to burn MP3 files in an unprotected manner," he said.
Although Sony does not appear to understand why people are concerned about the use of rootkits, the EMI Group has tried to distance itself from the controversy by stating that it does not use rootkits on its own products.
"EMI is not using any software that hides traces of the program. There is no 'rootkit' behaviour and there are no processes left running in the background," an EMI spokesman said last week
More like arrogance then anything else, by the tone of this article you have to admit that Sony did indeed know enough about this technology that it would be an invasion of personal privacy, so I am of the opinion, that they should be keel-hauled and raked over the corals over this. Article
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
November 17th, 2005, 05:49 PM
#18
Most people don't even know what a rootkit is, so why should they care about it?
Because, Mr Thomas Hesse, it is these very users, who are not pirates. These users are the most vulnerable to exploitation, by ruthless shits (much like your self) who would seek access to thier computers, in an underhand and illigal way. With the intention of steeling thier private and personal information. Your rootkit inreases the possibilities of this occuring.
The pirates you speek of are well aware of the techniques you employ and take measures to bypass your measures. Your not very bright are you? Even those of us that have, just a little technical knowledge are aware that your DRM does not work on Linux.
<rant off>
I feel much better now.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
November 17th, 2005, 07:38 PM
#19
<soapbox on>
Folks, this whole SONY/First 4 Internet DRM thing just points out something that is totally scarey. Corporations and some developers are either stupid enough or unethical enough to release into the wild software of this crappy caliber and potential for destruction.
If we don't take some kind of grassroots action (boycotts, CD-burnings, community education, protests) to make enough of a counterpoint to this type of heavy-handed, irresponsible activity, other corporations and developers will soon follow SONY and First 4 Internet.
We (us in AO and other IT/IS Security communities) know what we are dealing with, and can respond or investigate appropriately. But we are an extremely small segment of the much larger population. The average music consumer will buy CDs with DRM software, install it not knowing the impact it will have on their system, and continue merrily along. All the while their system is impacted, exposed and owned. Problem is, they'll put this on home systems, work systems, school systems, all without any clue.
Getting good instructions for cleaning up the problem to the average user and expecting them to be able to competently perform the required steps is problematic. Trusting the source corporations to provide a simple removal process has proven to be almost more dangerous than the original problem.
This is a REAL threat to the stability and security of our networks and the internet.
Write, call or email congress persons, state legislators, governors, attorneys general, the media. Contact whoever you can think of. This threat cannot be minimized. Boycott all things SONY.
<soapbox off>
-
November 17th, 2005, 08:34 PM
#20
The great Bruce Schneier has a good take on this IMHO
http://www.wired.com/news/privacy/0,1848,69601,00.html
What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.
...
You might expect Microsoft to be the first company to condemn this rootkit. After all, XCP corrupts Windows' internals in a pretty nasty way. It's the sort of behavior that could easily lead to system crashes -- crashes that customers would blame on Microsoft. But it wasn't until Nov. 13, when public pressure was just too great to ignore, that Microsoft announced it would update its security tools to detect and remove the cloaking portion of the rootkit.
...
Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?
These questions are the real story, and we all deserve answers.
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|