/* Javascripts ----------------------------------------------- */ /* * * * * * * BODY * * * * * * * ----------------------------------------------- */

Note that the title of most blog entries provides a link to the relevant document.

Wednesday, November 30, 2005

Freedom to Tinker: Sony, First4 Knew About Rootkit Issue in Advance

Security vendor F-Secure contacted SonyBMG and First4Internet about the companies’ rootkit software on October 4 — about four weeks before the issue became public — according to a Business Week story by Steve Hamm.

[+/-] show/hide this post

WaPo: Russinovich to join NY class action suit as expert witness

[+/-] show/hide this post

Mark's Sysinternals Blog: Premature Victory Declaration?

"Two weeks ago I declared victory in what the media is now referring to as the “Sony rootkit debacle”, but now I’m wondering if I jumped the gun. It turns out that the CDs containing the XCP rootkit technology are still widely available, there’s still no sign of an uninstaller, and comments made recently by the president of the Recording Industry Association of America (RIAA) make it clear that the music industry is still missing the point."

[+/-] show/hide this post

Businessweek: Sony BMG's Costly Silence

[+/-] show/hide this post

Businessweek: Spitzer Gets on Sony BMG's Case

[+/-] show/hide this post

Monday, November 28, 2005

Freedom to Tinker: MediaMax Permanently Installs and Runs Unwanted Software, Even If User Declines EULA

[+/-] show/hide this post

SONYSUIT.COM: Oklahoma class action suit.

[+/-] show/hide this post

Wednesday, November 23, 2005

Freedom to Tinker: What Does MediaMax Accomplish?

[+/-] show/hide this post

Sony Recall Information

[+/-] show/hide this post

Stars & Stripes: Military assessing possible threat posed by Sony security software

"Military network analysts are assessing a possible security threat that could result if the software is installed on government computers, according to Tom Ryan, an information assurance manager with the 5th Signal Command based in Mannheim, Germany."

[+/-] show/hide this post

Tuesday, November 22, 2005

EFF CA class action complaint against Sony BMG

[+/-] show/hide this post

PC Pro: News: US rights body and state of Texas file against Sony BMG

"The leading US digital rights campaigner has filed a class action lawsuit against Sony BMG, demanding that the company repair the damage done by the DRM software it included on over 24 million music CDs. The record label also faces litigation from the US state of Texas."

[+/-] show/hide this post

EFF: SonyBMG Litigation and Rootkit Info

By including a flawed and overreaching computer program in over 20 million music CDs sold to the public, Sony BMG has created serious security, privacy and consumer protection problems that have damaged music lovers everywhere.

At issue are two software technologies - SunnComm's MediaMax and First4Internet's Extended Copy Protection (also known as XCP) - which Sony BMG claims to have placed on the music CDs to restrict consumer use of the music on the CDs but which in truth do much more, including monitoring customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that can expose users to malicious attacks by third parties, all without appropriate notice and consent from purchasers. The CDs also condition use of the music on unconscionable licensing terms in the End User Licensing Agreement (EULA).

[+/-] show/hide this post

WaPo: EFF, Texas Attorney General Sue Sony

[+/-] show/hide this post

Texas AG complaint against Sony BMG

[+/-] show/hide this post

CNET News: Texas sues Sony BMG over alleged spyware

"Texas Attorney General Greg Abbott filed a civil lawsuit on Monday against Sony BMG Music Entertainment for allegedly including spyware on its media player designed to thwart music copying."

[+/-] show/hide this post

EFF Files Class Action Lawsuit Against Sony BMG

"The Electronic Frontier Foundation (EFF), along with two leading national class action law firms, today filed a lawsuit against Sony BMG, demanding that the company repair the damage done by the First4Internet XCP and SunnComm MediaMax software it included on over 24 million music CDs."

[+/-] show/hide this post

Monday, November 21, 2005

Freedom to Tinker: Does Sony’s Copy Protection Infringe Copyrights?

"Matti Nikki and Sebastian Porst have done great work unearthing evidence pointing to infringement. They claim that the code file ECDPlayerControl.ocx, which ships as part of XCP, contains code from several copyrighted programs, including LAME, id3lib, mpglib, mpg123, FAAC, and most amusingly, DVD-Jon’s DRMS."

[+/-] show/hide this post

FoxTrot Cartoon on Sony DRM code

FoxTrot by Bill Amend November 21, 2005

Provided by Universal Press Syndicate

[+/-] show/hide this post

Sunday, November 20, 2005

Original CD that started has now been pulled by Amazon.com

Currently Amazon.com: Get Right with the Man [SONY XCP CONTENT/COPY-PROTECTED CD]: Music: "Availability: THIS TITLE IS CURRENTLY NOT AVAILABLE. If you would like to purchase this title, we recommend that you occasionally check this page to see if it has become available."

This was the original Sony CD that infected Mark Russinovich's computer, and, thus, started this entire Sony DRM RootKit controversy - and as of 11/17/2005 it had been pullled by Amazon.com, and remains unavailable as of 11/20/2005.

[+/-] show/hide this post

EFF: An Open Letter to Sony-BMG

[+/-] show/hide this post

EFF: List of infected CDs

[+/-] show/hide this post

EFF: A Spotters' Guide to XCP and SunnComm's MediaMax

[+/-] show/hide this post

The LAME Project

"LAME is an LGPL MP3 encoder. The Open source development model allowed to improve its quality and speed since 1999. It is now an highly evolved MP3 encoder, with quality and speed able to rival state of the art commercial encoders".

[+/-] show/hide this post

De Winter Information Solutions: Spyware Sony seems to breach [LAME] copyright

"The spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.

This article is a translation of this article I wrote for Webwereld.

It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license. This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Sony complied with non of these demands, but delivered just an executable program. A computerexpert, whose name is known by the redaction, discovered that the cd "Get Right With The Man" by "Van Zant" contains strings from the library version.c of Lame. This can be conluded from the string: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 ".

[+/-] show/hide this post

LAME code

This is from Drew Lehman, who forwarded this from a user group list to cyberia-l cyber law listserve group:

oh the irony....

Sony's rootkit infringes on software copyrights

Close examination of the rootkit that Sony's audio CDs attack their customers' PCs with has revealed that their malicious software is built on code that infringes on copyright. Indications are that Sony has included the LAME music encoder, which is licensed under the Lesser General Public License (LGPL), which requires that those who use it attribute the original software and publish some of the code they write to use the library. Sony has done none of this. [BEH Note - see "Can I use LAME in my commercial program?"]

The evidence against Sony is compelling, and this further reveals the hypocrisy of Sony's actions. Sony claims that it needs to install dangerous, malicious, underhanded software on its customers' computers to protect its copyrights, but in order to write this malware, it has no compunction about infringing on the copyrights of public-spirited software authors who make their works available under free software licenses like the GPL.

I suppose it's natural to believe that everyone is at least as sleazy as you are: for Sony's rip-off artists, assuming that paying customers are planning to rip them off must come easy. Link




[+/-] show/hide this post

Friday, November 18, 2005

Wired News: Tainted Sony CDs Used Open Source

"Controversial copy-protection software used by music publisher Sony BMG on music CDs appears to have tapped an open-source project, raising questions about copyrights, software experts said on Friday."

[+/-] show/hide this post

CNET News: Sony's sour note

Sony BMG Music Entertainment finds itself singing the blues this week, after copy protection on many of its CDs struck a sour note on fans' PCs.

The record label will recall millions of CDs that, if played in a consumer's PC disc drive, will expose the computer to serious security risks. Anyone who has purchased one of the CDs, which include southern rockers Van Zant, Neil Diamond's latest album and more than 18 others, can exchange the purchase. The company added that it would release details of its CD exchange program "shortly."

[+/-] show/hide this post

CBC: CDs with security glitches sold in Canada

"About 120,000 Canadians may have bought Sony BMG CDs that can damage their computers."

[+/-] show/hide this post

Thursday, November 17, 2005

Freedom to Tinker: Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole

"It turns out that the web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony’s other DRM, XCP, that we announced a few days ago. I have verified that it is possible for a malicious web site to use the SunnComm hole to take control of PCs where the uninstaller has been used. In fact, the the SunnComm problem is easier to exploit than the XCP uninstaller flaw."

[+/-] show/hide this post

Santana: Copyright Protection letter

Letter from Deborah Santana to Santana fans concerning Sony DRM software on "All That I Am" CD.

[+/-] show/hide this post

Slashdot: DVD Jon's Code In Sony Rootkit?

Slashdot | DVD Jon's Code In Sony Rootkit?: "An anonymous reader writes 'With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar.'"
[Entire Article]

[+/-] show/hide this post

Reuters: Software writers spot open source in Sony BMG CDs

Reuters: "Controversial copy-protection software used by music publisher Sony BMG on music CDs appears to have tapped an open source project, raising questions about copyrights, software experts said on Friday."

[+/-] show/hide this post

Wired News: Real Story of the Rogue Rootkit

Article looks at a lot of the subplots, including why the rootkit wasn't detected earlier by virus companies.

[+/-] show/hide this post

Wednesday, November 16, 2005

Wired News: Sony Folds Tent, Recalls CDs

"Sony BMG, yielding to consumer concern, said on Wednesday it was recalling music CDs containing copy-protection software that acts like virus software and hides deep inside a computer"

[+/-] show/hide this post

Wired News: Boycott Sony

[+/-] show/hide this post

Welcome to planet Sony - over a half a million sites

Dan Kaminsky at Doxpara Research has done some great work. In his article titled "Welcome To Planet Sony", he describes how he checked DNS servers around the world for cached DNS entries for the sites that the Sony rootkit sends play information home to. And he found that over a half a million DNS servers world wide had cached the appropriate DNS entries. This probably translates to over a half a million infections. And then he went a step further, and plotted the location of these DNS servers around the world. The results are great visuals of the infection:
* North America
* Asia
* Europe

Possibly a more readable report of his work can be found in an article on Wired News titled "Sony Numbers Add Up to Trouble".

[+/-] show/hide this post

serendipity: Is Sony in violation of the LGPL? - Part II

[+/-] show/hide this post

EFF: US-CERT: Never Install Audio-CD DRM Software

"Yep, you read it right. US-CERT recommends that you never install DRM software that comes with an audio-CD. Frankly, that's good advice. As for the EULA advice, it's a good idea, but Sony's problematic EULA does not tell you much about what the XCP may do."

[+/-] show/hide this post

Mark's Sysinternals Blog: Victory!

Mark Russinovich: "I’m proud to announce a significant victory in the ongoing Sony Digital Rights Management (DRM) saga; Sony has capitulated almost entirely. While not publicly admitting blame for distributing a rootkit, providing no uninstall for the DRM software, implementing a music player that sends information to Sony’s site, and supplying a remotely-exploitable ActiveX control for the on-line uninstall they eventually made available – all without any disclosure to users – they have come close."

[+/-] show/hide this post

CNET News: Attack targets Sony 'rootkit' fix

"Sony BMG took another blow Wednesday, when a security company said it has found malicious attacks based on software designed to defuse the record label's 'rootkit' problems."

[+/-] show/hide this post

BBC NEWS: Sony recalls copy-protected CDs

BBC: "Sony BMG is recalling music CDs that use controversial anti-piracy software."

[+/-] show/hide this post

Tuesday, November 15, 2005

Freedom to Tinker: Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs

"Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

[+/-] show/hide this post

USA Today: Copy-protected-CD flap raises questions

"Sony BMG's move late Monday to recall nearly 5 million of its controversial copy-protected CDs did little to quiet backlash from consumers, tech-security experts and privacy advocates. The CDs, with XCP copy-protection software from British firm First 4 Internet, are vulnerable to computer viruses."

[+/-] show/hide this post

Wired News: Sony Numbers Add Up to Trouble

"More than half a million networks, including military and government sites, were likely infected by copy-restriction software distributed by Sony on a handful of its CDs, according to a statistical analysis of domain servers conducted by a well-respected security researcher and confirmed by independent experts Tuesday."

[+/-] show/hide this post

WaPo: Sony BMG is facing yet another class-action lawsuit

Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com): "Sony BMG is facing yet another class-action lawsuit stemming from the controversy over its anti-piracy software, this time from a New York attorney who filed a federal case that could potentially include consumers in all 50 states. "

[+/-] show/hide this post

Monday, November 14, 2005

USA Today: Sony to pull controversial CDs, offer swap

[+/-] show/hide this post

NY class action suit complaint

[+/-] show/hide this post

Dinis Cruz @ Owasp .Net Project : Sony stops rookit production, ActiveX contains vulnerabilities and 'doing a sony'

[+/-] show/hide this post

serendipity: Is Sony in violation of the LGPL? [LAME]

"Update: Click here

I'm sure you've already heard about the Sony rootkit that was first revealed by Mark Russinovich of Sysinternals. After the Finnish hacker Matti Nikki (aka muzzy) found some revealing strings in one of the files (go.exe) that are part of the copy protection software, the rootkit is also suspected to be in violation of the open-source license LGPL. The strings indicate that code from the open-source project LAME was used in the copy protection software in a way that's not compatible with the LGPL license which is used by LAME.

[+/-] show/hide this post

Mark's Sysinternals Blog: Sony: No More Rootkit - For Now

[+/-] show/hide this post

technewsworld: Commentary : Why You Shouldn't Buy Products From Sony This Season

[+/-] show/hide this post

Saturday, November 12, 2005

Boston Globe: Sony temporarily halts production of CDs with disputed antipiracy software

"Sony BMG Music Entertainment has temporarily halted production of music CDs that contain an antipiracy program, after two weeks of sharp criticism from technologists and Internet privacy advocates who said it was a destructive form of spyware."

[+/-] show/hide this post

Freedom to Tinker : Sony Shipping Spyware from SunnComm, Too

"What few people realize is that Sony uses another copy protection program, SunnComm’s MediaMax, on other discs in their catalog, and that this system presumably is not included in the moratorium. Though MediaMax doesn’t resort to concealing itself with a rootkit, it does behave in several ways that are characteristic of spyware."

[+/-] show/hide this post

Friday, November 11, 2005

MSNBC: Sony halts music CDs with anti-piracy scheme

"WASHINGTON - Stung by continuing criticism, the world’s second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers."

[+/-] show/hide this post

More Links - mostly MSM

Washington Post, Brian Krebs on Computer Security:
"Hackers Raid Sony's Playbook",
"Calif. Lawsuit Targets Sony",
"Sony's Attitude Has a History",
"Virus Writers Exploit Sony Anti-Piracy Software"

The Age: "Sony backs down over rootkit".

Security Focus: "Sony BMG faces digital-rights seige".

Christain Science Monitor: "Sony aims at pirates - and hits users".

BBC: "Sony BMG is facing three lawsuits over its controversial anti-piracy software".

New York Times: "Sony BMG's Copy-Protecting Watchdog". Nice summary of current status.

USA Today: "Bad things hide in PCs using Sony BMG software". Article concentrates on Stinx-E trojan virus mentioned before.

CNN: "New virus uses Sony BMG software". Another mention of the Stinx-E trojan virus.

SiliconValley.com: "Viruses exploit Sony CD copy-protection scheme".

[+/-] show/hide this post

Audio interview with Mark Russinovich

[+/-] show/hide this post

Sophos: Troj/Stinx-E virus

Another virus exploiting the Sony cloaking code.

[+/-] show/hide this post


Looks like bitdefender has found an IRC backdoor utilizing the Sony DRM code.

[+/-] show/hide this post

EFF blog entry links

The Electronic Freedom Foundation (EFF/eff.org) is the premier organization defending free speech, privacy, innovation, and consumer rights today on the Internet. You can find more information here.

The following are links to short EFF articles as of 11/11/2005 in chronological order (oldest first):

Uproot Sony-BMG's Invasion of Your Privacy and Your Computer

Sony-BMG rootkit DRM in a Nutshell

Are You Infected by Sony-BMG's Rootkit?

Now the Legalese Rootkit: Sony-BMG's EULA

Sony-BMG Rootkit: EFF Collecting Stories, Considering Litigation

New Virus Exploits Sony-BMG Rootkit

[+/-] show/hide this post

Mark's Sysinternals Blog (#4) - actual uninstall

This article titled "Sony: You don’t reeeeaaaally want to uninstall, do you?" primarily deals with the actual uninstall of the Sony DRM code. In his previous post, he discussed the first level uninsall that merely uncloaks the drivers, while downloading 3.5 mb of updated drivers. This is the actual uninstall process, and it is a doozy:
1) you first go to the Sony support site and guess that it is mentioned in the FAQ.
2) you then fill out a form with your email address and purchase information. According to Sony's privacy policy, they can, of course, use this for marketing purposes.
3) the send you an email with a "Case ID".
4) It directs you to another page that asks if you really want to uninstall the software.
5) It also requires the installation of an ActiveX control (i.e. it can only be run under IE, not any of the Gecko/Mozilla browsers).
6) The ActiveX control, CodeSupport.Ocx, signed by First 4 Internet, requires that you enter your Case ID and the reason for your request.
7) You are then informed that you will receive another email containing the uninstall instructions within one day.
8) This second email contains a link to a personal uninstall page. If you visit the page from the same computer from which you originally requested the uninsall, it is performed, but
9) If you try to access it from any other computers, you are directed to go back to step #2 above.

Interestingly, it appears that Sony uploads an encrypted snapshot of hardware ID information for your computer when you request a Case ID. This has to then match when you actually try to uninsall. Obviously, and attempt to make everyone who unintalls jump through those same eight steps.

And hence, Mark's title.

[+/-] show/hide this post

Mark's Sysinternals Blog (#3)

In this article, "Sony’s Rootkit: First 4 Internet Responds", Mark critiques the First 4 response to his questions. In particular, he shows how their method of uninstalling can cause a Blue Screen crash when drivers are unloaded due to the system call hooking of kernel APIs.

[+/-] show/hide this post

Mark's Sysinternals Blog (#2)

Second article by Mark Russinovich on Sony DRM Rootkit code is titled:"More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home". In the article, Mark looks at Sony's first attempt at an uninstall functionality. He points out that the way that the drivers load and system call hook and are later unloaded opens up a timing window. Also, he detects that the Sony code is transmitting play information to a Sony website whenever a copy protected CD of theirs is played.

[+/-] show/hide this post

First Trojan using Sony DRM spotted

Article by John Leyden in The Register says:
Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory.

"This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit," warns Ivan Macalintal, a senior threat analyst at security firm Trend Micro.

[+/-] show/hide this post

Tim Anderson: Beware the power of the blog

Article talks about how Mark's original post caused a blogswarm around the world.

[+/-] show/hide this post

Italian police asked to probe Sony copy protection code

[+/-] show/hide this post

Why the new blog?

Mostly because it was hard keeping my normal blogging separate. But this also gives me a chance to do a lot more linking than before, because my regular blog is more aimed at analysis.

[+/-] show/hide this post

Thursday, November 10, 2005

List of Infected Sony Music CDs

A partial list of CDs infected by the Sony DRM rootkit code:

Trey Anastasio - Shine
Celine Dion - On ne Change Pas
Neil Diamond - 12 Songs
Our Lady Peace - Healthy in Paranoid Times
Chris Botti - To Love Again
Van Zant - Get Right with the Man
Switchfoot - Nothing is Sound
The Coral - The Invisible Invasion
Acceptance - Phantoms
Susie Suh - Susie Suh
Amerie - Touch
Life of Agony - Broken Valley
Horace Silver Quintet - Silver's Blue
Gerry Mulligan - Jeru
Dexter Gordon - Manhattan Symphonie
The Bad Plus - Suspicious Activity
The Dead 60s - The Dead 60s
Dion - The Essential Dion
Natasha Bedingfield - Unwritten
Ricky Martin - Life

Update 10/11/2005 @ 12:03 AM
From an XCP-Aurora web site press releases:
HOUSTON--(BUSINESS WIRE)--Aug. 9, 2005--Sterile burning content protection technology pioneered by First 4 Internet (F4i) has been utilised by Texas based Upstairs Records on its latest album by Lil Rob, "Twelve Eighteen".

Fontana Distribution, part of Universal Music Group and distributors for Upstairs Records Inc., are encouraging the independent records labels they distribute to use content protection on their CDs. "Twelve Eighteen", featuring the hit song "Summer Nights", carries the same content protection currently being used by Sony BMG.

First 4 Internet's XCP2 sterile burning technology has been used on over 30 new album releases since February 2005. [Emphasis added]

[+/-] show/hide this post

EULA (#3)

Ray Nimmer has a new blog out: http://www.ipinfoblog.com/. I first met Ray about 15 years ago at a Computer Law Association meeting. The joke was that he was constantly asked if he was "The Nimmer" (of "Nimmer on Copyrights" fame, originator of the definitive trestise on copyright law). His response was that he was "the Other Nimmer". Even then, he had already published a book on IP issues and was well known and respected in the computer law area.

In any case, in this new blog, he has an entry titled: "Shrink-wraps are enforceable contracts" in which he argues very strongly that shrinkwrap and clickwrap licenses, like the Sony EULA, are enforceable.

[+/-] show/hide this post

Sunday, November 06, 2005

EULA (#2)

In a previous post, I discussed some of the elements in the Sony End User License Agreement (EULA) that comes with its music CDs. Note the following in the EULA:
Before you can play the audio files on YOUR COMPUTER or create and/or transfer the DIGITAL CONTENT to YOUR COMPUTER, you will need to review and agree to be bound by an end user license agreement or “EULA”, the terms and conditions of which are set forth below. Once you have read these terms and conditions, you will be asked whether or not you agree to be bound by them. Click “AGREE” if you agree to be bound. Click “DISAGREE” if you do not agree to be bound. Please keep in mind, however, that if you do not agree to be bound by these terms and conditions, you will not be able to utilize the audio files or the DIGITAL CONTENT on YOUR COMPUTER.

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER.
So, what happens if you “DISAGREE”? Well, I went on a couple of web sites to look at return policies for music CDs. Amazon's refund policy provides that:
Items that do not meet our returns guidelines will receive only partial refunds:
* Any CD, DVD, VHS tape, software, video game, cassette tape, or vinyl record that has been opened (taken out of its plastic wrap): 50% of item's price.
Best Buy is worse. Its refund policy is:
Nonreturnable Items
These items include labor and/or installation services; consumable items such as phone cards, gift cards, food and drink; or items that are damaged or abused. Opened computer software, movies, music and video games can be exchanged for the identical item but cannot be returned for a refund.
So, if you buy a CD at Amazon and promtly find that it contains the DRM rootkit software, you can get half your money back. But regardless of how fast you discover it if you bought the CD at Best Buy (online or in a store), you are SOL.

But you are not out of options. You can sue Sony. Remember, the EULA was declined, so Sony is stuck with the normal warranties of fitness, merchantability, etc., which the CD arguably breaches.

More interestingly though, given that these major CD retail vendors return half (Amazon) or none (Best Buy) of your money if you decline, that lost money had to have bought something. In the case of Best Buy, a good argument can be made that you purchased the contents of the CD with it. Then what about the EULA? Two things. First, if all the money went to buying the contents of the CD, then you aren't receiving any consideration for your agreeing to the EULA. A contract not supported by consideration is void. Secondly, it is what is called an "after acquired terms" under the Uniform Commercial Code (UCC) II (Sales). This is the "Battle of the Forms" that merchants engage in. But they are not applicable to retail customers. Again, then, the EULA is arguably invalid. Alternatively, you could argue that the contract is one of adhesion, since getting half or none of your money back is not a realistic alternative.

Unfortunately, these same arguments have been made for awhile with software shrinkwrap agreements, and recently, they have been losing. Nevertheless, looking at the totality of the transactions (that you don't get your money back if you decline the EULA), a court is going to have to close its eyes to reality in order to enforce the EULA.

[+/-] show/hide this post

Amazon Music Reviews

Mark Russinovich found the Sony DRM rootkit after it was installed from a CD titled "Get Right with the Man" by Van Zant. As a result of his article in his blog, the music buying public has pummeled the CD in reviews on Amazon.com. Currently, it carries a one star rating (Amazon's lowest) almost entirely because of the DRM rootkit software. At last count, there were over 140 reviews, all negative, except for the first couple who reviewed the CD on its musical merits alone.

I do feel sorry for Van Zant, because this was not of their doing. Nevertheless, this appears to be spreading to other Sony CDs. None of those reviewers who panned the CD because of the DRM rootkit software expect to buy Sony CDs in the near future - at least not until Sony cleans up this mess. The questions though are how wide spread will the damage be to the company, and if it will die down in the near future? If not, then Sony's music business could take a big hit over this.

[+/-] show/hide this post

End User Licensing Agreement (EULA)

The End User License Agreement (EULA) on Mark Russinovich's Sony BMG music CD stated that:
As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.
Note that the EULA does not mention that the small proprietary software program is a rootkit, that it implements system call hooking of kernel APIs, that it actively scans running processes regardless of whether or not a CD is loaded, or that it transmits play information to Sony. It also does not mention that it is extremely difficult to uninstall.

This simply says that it doesn't matter what Sony did, it doesn't violate any warranties. Merchantability and Quality are especially relevant here, as the Sony DRM arguably would violate both.

Don't bother suing Sony, because you won't get any damages, or if you do, they will be limited to $5.00 (less than half the retail value of the CDs).

1. The rights granted to you hereunder to use the DIGITAL CONTENT are conditioned upon your continued possession of, and your continued right under a license from SONY BMG to use, the original CD product that you purchased. In the event that you no longer possess or have the right under such license to use the original CD product, your rights hereunder to use the DIGITAL CONTENT shall expire immediately, without notice from SONY BMG.

2. Without prejudice to any other rights SONY BMG or any SONY BMG PARTY may have hereunder, the term of this EULA shall terminate immediately, without notice from SONY BMG, and all rights you may have hereunder to use the LICENSED MATERIALS shall be immediately revoked, in the event that you: (i) fail to comply with any provision of this EULA, (ii) fail to install an update of the SOFTWARE that was previously provided to you by the SONY BMG PARTIES within the time specified, or (iii) file a voluntary petition or are subject to an involuntary petition under applicable bankruptcy laws, are declared insolvent, make an assignment for the benefit of creditors, or are served with a writ of attachment , writ of execution, garnishment or other legal process pertaining to any of your assets or property.

3. Upon the expiration or termination of this EULA, you shall immediately remove all of the LICENSED MATERIALS from your personal computer system and delete or destroy them, along with any related documentation (and any copies thereof) that you may have received or otherwise may possess....
Note a couple of things here. The EULA terminates when you get rid of the CD. No problem. But then you have to remove the software. Not so easy. Sony hasn't bothered to include an uninstall facility. Indeed, it hides itself from the system and doesn't bother to register with Windows so you can remove it via the normal Add/Remove Program control panel. Instead, you have to provide Sony a bunch of information before it will tell you how to uninstall the software - and better not try it yourself. Mark's CD drive disappeared when he tried it, and he is an expert. Most of aren't. Finally:


This means that if you sue, you have to do it in New York and can't get a jury trial. At least they didn't try to force arbitration.

All is not lost though. Most of this will be thrown out in many states. In Colorado, for example, an attempt to move venue is void in consumer transactions.

Additionally, my view is that it may be possible to attack (and presumably eliminate) the EULA through lack of actual consent, that it is an adhesion (or forced) contract, or that it fraudulently misleads as to the conduct of the DRM code.

[+/-] show/hide this post


At The Register is an article titled "World of Warcraft hackers using Sony BMG rootkit" by SecurityFocus. It starts out by asking: "Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD."

Apparently, World of Warcraft hackers are starting to use the Sony DRM rootkit to subvert the game's "Warden" security monitor. They just insert a Sony CD, let the software automatically install, and rename their favorite hacking tools to have names starting with "$sys$". Warden is then unable to detect them.

It sure didn't take long for the hackers to start exploiting the Sony DRM rootkit.

[+/-] show/hide this post

Saturday, November 05, 2005

Sony DRM rootkit code (#17) Blacklist

Some other commentors to Mark's recent blog entry: "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home" point out something else (from Matti Nikki):
Ohyea, another thing. This DRM system uses a blacklist to filter out what applications can and what can't read the CD. So, this doesn't protect the CD, but rather intends to break the listed software. To verify, use your hexeditor and you can locate the following list yourself:

If you want a more concrete proof, try to rename your favourite ripping software as $sys$whatever.exe and then run it again. You'll notice that the DRM system can no longer detect it, and thus you'll get good copy of the track you try to rip instead of one filled with noise.
and from Brad Green:
Thats just hilarious. I think everyone should simply not worry about removing the rootkit, as this is too difficult, and then just do at Matti says, and use the rootkit to make your favorite ripping tool immune to the DRM. On second thought, is their software breaking the DMCA? It provides a method to bypass copyright protection that they install? Hmm...
Note if you haven't been following this - the Sony cloaking software hides all programs and registry entries starting with "$sys$" - apparently, including from itself.

[+/-] show/hide this post

Sony DRM rootkit code (#16) System Call Hooking

The posters to Mark Russinovich's recent blog entry: "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home" have managed to use the Sony DRM code to break Windows systems by exploiting the vulernerabilities inherant in system call hooking.

In particular, if you rename the Sony drivers, then start the original, followed by the copy, then stop the original, followed by the copy, Windows systems fail. Why? Because when they load they do system call hooking, inserting themselves between the system call table and the driver that should be called for that API. But when you do it twice, each driver inserts itself at the top. So you have:
Table->module0 (original module)
But when you unload them in FIFO order (module1, module2), instead of LIFO order (module2, module1), it doesn't get cleaned up properly. When module2 is unloading, it restores the contents of the system call table to what it was when it loaded (module1), but module1 had already been unloaded. The table entry now points at the address where module1 was - but no longer is. Boom.

[+/-] show/hide this post

Sony FAQ

Following is from the Sony BMG FAQ:
6. I have heard that the protection software is really malware/spyware. Could this be true?

Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement.

If at some point you wish to remove the software from your machine simply contact customer service through this link. You will, though, be unable to use the disc on your computer once you uninstall the components.

Our technology vendors are constantly looking to improve the product as well as respond to any critical software issues found. Please check here for upgrades to address any known issues
Seems somewhat clueless to me. For example:
The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system.
Inactive? It seems like scanning all running processes every two seconds and querying for information about their executables (regardless of whether or not a CD is in the drive) is not "inactive". Sony may not be collecting the information that it receives automatically from sites playing its CDs, but it sure apparently receives such.
1. What computer access rights do I need to use this disc on Windows?

You must log on to your computer with Administrator rights or Power User rights to fully use the disc. Normally, you should have Administrator rights, unless you are working in a corporate environment in which case, you'll need to contact your IT department to have them install the software for you.

On Windows XP Home Edition system you will need Administrator rights (typically the default setting) as well, not User rights.
In short, you need Administrator privileges to install the Sony software. This is obvious from what it does, hiding files and registry entries, and installing system call hooks. Not the mark of benign software.

[+/-] show/hide this post

64 bit Windows

Following was from geek27:
NOT GOOD FOR 64bit USERS, October 9, 2005 Reviewer: tvideo (NJ, USA) - See all my reviews
Since, I don't care about stealing any music, the "Copy Protected" warning didn't bother me in the least. I am a Hardcore gamer I have a high end 64bit PC running Windows XP Pro. The CD claims it is compatible with Windows XP, it does NOT specify which versions so I assumed I was OK.

I installed this CD and I was forced to accept some agreement and then it installed some lousy music player. Everything seemed fine until next time I rebooted my PC both my DVD and CD drives had literally disappeared! That's right this so-called copy protection destroyed access to my drives!!! The copy protection REALLY works great they just disable all your CD/DVD drives so you can't use them with ANY discs anymore - UNBELIEVABLE!!!
Looks to orignally be from an Amazon review by "tvideo". We had heard rumors about 64 bit problems, and this seems to corroborate such.

[+/-] show/hide this post

Sony DRM rootkit code (#13)

Mark Russinovich has an update to his original post titled: "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home". He first goes through the hoops that Sony puts you through to partially uninstall their DRM code. It turns out that all it does is to uncloak it, and installs 3.5 mb worth of updated DRM drivers. Again, no mention is made of any of this in the Sony EULA. It apparently attempts to act like a normal driver/program install, with an entry for MediaJam showing up in the Add/Remove Program control panel. However, to no one's surprise, it doesn't work. Somewhere along the way, it executes:
net stop “network control manager”
Where “Network Control Manager” is the misleading name the developers assigned to the Aries driver so the command directs the Windows I/O system to unload the driver from memory. However, since the drivers utilize system call hooking, stopping the cloaking this way apparently opens a system to the small possibility of a crash.

Then comes the point that is interesting to me. Earlier posters had suggested that the Sony code connected to Sony. In otherwords, that we had some spyware here. This was vehemently denied by Sony. Mark confirmed that it indeed was going on. When you play a Sony CD, the drivers connect to a Sony site to tell them that. Mark says:
It appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way.
It still looks like spyware to me.

Update#1 - comment by xcp_support:
In responding to the specific comments in this blog we set out the following comments which I hope clears things up.

1) Blog: "The Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it."

Answer: The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities.

2) Blog: "The download of what should be a small patch is around 3.5 MB because it includes updated filters for the DRM software that the patch also installs (again, no mention of this is made in the download description)."

Answer: In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point.

3) Blog: He states that the patch installs something called MediaJam which he was not expecting and could not uninstall.

Answer: Service Pack 2 does not install the MediaJam player on the user's hard drive. The only MediaJam related file installed on the user's drive is a standard Windows file (unicows.dll) used to support multiple languages. When this standard Windows file is installed by Service Pack 2, it creates a MediaJam group in the Add or Remove Programs list -- even though no MediaJam player is installed. Attempting to 'uninstall' this program results in a dialog box which confirms that this program had never been installed in the first place.

4) Blog: He claims that the patch itself could cause a blue-screen, although he says the risk is small.

Answer: This is pure conjecture. F4I is using standard Windows commands (net stop) to stop their driver. Nothing more.

5) Blog: As part of the uninstall process he notes that "clicking on the Sony privacy policy link at the bottom of the page takes you to a notice that your email address will be added to various Sony marketing lists."

Answer: An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.

[+/-] show/hide this post

Friday, November 04, 2005

More Useful Links

Some more links:

Schneier on Security: "Sony Secretly Installs Rootkit on Computers"

Brian Krebs on Computer Security at washingtonpost.com > Technology: "Sony Raids Hacker Playbook"

F-Secure Antivirus Research Team: "A chilling though about CDs that have rootkit DRM" (Nov. 4 @ 08:13 GMT); "Sony releases update for DRM software" (Nov. 3 @ 09:47 GMT); 'The "Sony rootkit" case' (Nov. 1 @ 11:25 GMT)

washingtonpost.com > Technology > Special Reports > Cyber-Security: "Study of Sony Anti-Piracy Software Triggers Uproar:
File-Hiding Technique Alarms Security Researchers; Developer Offers Patch
" by Brian Krebs.

BBC News: "Sony is in trouble but we might be the ones who lose out in the end, says technology commentator Bill Thompson."

FOXNews.com: "Sony BMG Hacking Into CD Buyers' Computers" and "Sony BMG Releasing Rootkit-Revealing Patch".

The Inquirer: "Sony DRM is worse than you might think"

[+/-] show/hide this post

Letter to Colo AG

John W. Suthers
Attorney General
State of Colorado

Dear Sir:

This is to request that your office investigate the business practices of Sony and its various music subsidiaries in their sale of compact disks (CDs) containing computer code that intentionally harms the computers on which it is installed. The code was apparently designed to enforce Digital Rights Management (DRM), but goes well beyond that. It appears that many, if not most, music CDs being sold today by Sony subsidiaries that are marked as having "copy protection" include this malware, which Windows systems computers automatically try to install whenever they first detect such CDs.

Last week, the installation of this code was detected by operating systems expert Mark Russinovich and documented in his blog as: "Sony, Rootkits and Digital Rights Management Gone Too Far". Subsidiary information can be found on my own blog: http://bhayden.blogspot.com/

Apparently, the Sony code is automatically installed with the Windows autorun feature. It loads a couple of drivers and then crudely hides them and all the associated registry entries (which is why Mark calls this a root kit). In addition to checking to see if a user can legally play any subsequent CD loaded in his CD drive, the code also scans all running programs every two seconds, querying information about the executables for such each time, regardless of whether or not a CD is currently loaded in the CD drive. Also, in loading and registering these programs, the Sony code installs some system call hooks to link some of its routines into the Windows kernel. Both the crude hiding of the DRM code and the system call hooking introduce serious systems stability and security problems into the computers in which the software is installed. Indeed, there is evidence that the hacking community is already starting to exploit both.

The problem is that this software is little different from the "spyware" that has become so prevelant, except that it is delivered via CD instead of over the Internet. In an older version of Sony's End User Licensing Agreement (EULA), no mention whatsoever is made of the code. In the latest version, instead of describing what the code actually does and how it affects computers in which it is installed, Sony instead prohibits disassembly and the like of the code - and appears to be threatening to use this against anyone who tries to detect and uninstall its code. This EULA does state that if you don't like the code, it can be uninstalled, but then doesn't supply uninstall code. Then, the uninstall code that you can download from its site merely removes the crude cloaking, leaving the code that scans all running processes every two seconds and the system call hooks in place.

The Sony malware arguably violates the CO Consumer Protection Act, notably C.R.S. 6-1-105(u), as well as numerous federal statutes, including the Digital Millennium Copyright Act (DMCA) and the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT). Also, Sony may be liable under theories of common law trespass to chattels, consumer fraud, negligence, and computer tampering.

The reason that I am referring this to your office is that Sony is one of the biggest sellers of music in this country. Without intervention, it is likely that probably hundreds of thousands of Sony CDs containing this DRM malware will be purchased by tens of thousands of Colorado residents and installed on tens of thousands of Colorado computers over the next year.

Already, some California attorneys are looking for class plaintiffs for class action suits against Sony over this. While this crude weapon would presumably work in the long run to get Sony to change its actions, my view is that typically the attorneys involved benefit most from this type of lawsuit. I believe that action by the Colorado Attorney General's office, as well as by other Attorneys General, would much better serve the music buying public.

Thank you for your consideration of this matter.
Bruce E. Hayden
Dillon, Colorado

[+/-] show/hide this post

Thursday, November 03, 2005

Security Issues

A number of posters have talked about the fact that it takes "Administrator" privileges in order to install the Sony DRM root kit code. This is, in particular, true since that code conceils the Sony code, directories, registry entries, etc. and it installs code that inserts system call hooks. The obvious solution then is to run as a user under "User" instead of "Administrative" level privileges.

Theoretically, this is a legitimate suggestion. However, I would suggest that the vast majority of P.C. users don't understand multiple users and privilege levels. Rather, Windows XP Home Edition comes with one user ("Owner") configured as an Administrator. Most users never change this. Thus, they run, day in and day out, as "Owner" with "Administrator" privileges.

[+/-] show/hide this post

Wednesday, November 02, 2005

System Call Hooking

I hate when I have to rekey something this long because blogger timed out, but... This is going to be fairly long and technical. I should note that while I have significant expertise in operating systems (OS), most of it was in older OS's than Microsoft Windows, and in particular, Windows NT, and progeny: 2000 (2K)and XP.

Let's start with virtual memory. Computer programs need two things to execute: control of a processor, and a program loaded in physical memory. But from the first, programs that need to be run have exceeded the physical memory available. This is a moving target, with program sizes growing as fast as, if not faster than, physical memories. The most successful solution to this problem is "virtual memory". Programs are allocated a (large) chunk of disk space. Fixed sized pages of a program correspond to similar sized pages on disk. This is the virtual memory image of the program. Then, when the program needs a page from its virtual memory, a page from physical memory is allocated, and the appropriate page from disk is loaded into the physical memory page. Later, the phsical memory page may be allocated to another virtual page for another program, in which case, the contents are rolled back to disk (if necessary), before the new contents are loaded there. The result is a much larger address space than is possible with phsyical memory. Indeed, it allows me to run the same OS (Win2K) on computers with physical memory ranging from 32mb to 768mb.

On to the kernel. At a minimum, the kernel is the part of the OS that needs to always be present in physical memory in order for a computer to run. At a minimum, it includes first level interrupt code, the cpu dispatcher, and memory management - all necessary to make virtual memory work. It also often includes other high security, high usage routines. Note though, that the kernel is locked into physical memory - it does not use virtual memory, but rather is necessary to implement it.

On to binding. One essential of computer programming is the concept of subroutines. A program enters a subroutine, which does some work, and then returns to the original program. The subroutine may, and ususally does, call or invoke other subroutines. OS functions in modern OS's are also typically invoked as subroutines. Binding is the determination of where subroutines are located so that they can be called. Older OS's bound their subroutines at link/edit time, requiring relinking when any changes are made. Modern OS's utilize tables of addresses to indirectly access subroutines or functions. This provides a lot more flexibility, since, instead of directly calling the routine at address 80402020, the routine at table entry #43 (that contains 80402020) can be invoked instead. Then, at the next boot, the routine may move to 80604020. But that is transparent to other routines, since they would still access it through table entry #43.

Microsoft Windows has a table of kernal routines or APIs called the "system service table". Each kernal routine has an entry in that table, and access is made by specifying its entry number in the table. The Sony DRM root kit replaces several of the entries in the system service table with addresses of Sony routines.

Note the first problem with this. The Sony routines are not located in the kernel. Thus, they are subject to virtual memory swap. And if they swap out, something else is likely to be loaded into physical memory at the location specified by those system service table entries overwritten by the Sony code. If another program is loaded there, it will be executed instead. And if it contains data or garbage, the results are liable to be even more bizarre when the APIs corresponding to those overwritten system service table entries are invoked.

Secondly, Microsoft enforces kernel security through a number of security measures. One of them is to checksum kernel routines when loaded at boot time, and check that those checksums match their expected values. This is missing for the Sony routines, since they don't reside in the kernel (and weren't written by Microsoft). They are thus significantly more vulnerable to being overwritten, linked to, etc. than the corresponding MSFT runctions. And note that any routines that utilize this security hole would execute in kernel mode, allowing almost unfettered access to the computer.

Thus, the Sony DRM root kit is likely to reduce both security and stability of Windows sytems.

[+/-] show/hide this post

Sony DRM rootkit code (#8)

BNA's Internet Law News (ILN) - 11/2/2005 (today) linked to an article on CNET news titled "Sony CD protection sparks security concerns". Given their reputation, I would have expected a more critical analysis of the original article by Mark Russinovich. This article essentially said that the Sony DRM root kit code posed no real danger to systems, nor did it cost anything besides a little memory (cheap these days). This ignores Mark's points about system call hooking vulnerabilities and the overhead of scanning the executables of all the executing processes every two seconds. It also failed to mention that all files, regardless of source, starting with $SYS$ are hidden by the code.

[+/-] show/hide this post

Sony DRM rootkit code (#7)

The Sony DRM root kit thing was picked up by Clicked at MSNBC online in an article entitled: "Running from the beat of a different DRM". And that article links to an article entitled "DRM Crippled CD: A bizarre tale in 4 parts" at The Big Picture Blog. And that is where things got interesting.

According to The Big Picture, the DRM stuff started as a fight between Sony and Apple. It seems that Sony doesn't like the fact that there are a lot of people ripping songs off of its CDs and downloading them to their iPods, and, maybe even worse, bypassing that to buy just the single songs from Apple's iTunes site. And hence the ever stranger tale told there in four parts. By the end of it, through the installation of the DRM root kit code among other things on Windows machines, Sony is pushing its recording fans from Windows based computers to Macs made by, of course, arch-enemy Apple. Weird. Sony indirectly pushing Macs as a reaction to iPods and iTunes, all from Apple.

[+/-] show/hide this post

Tuesday, November 01, 2005

Trespass to Chattels

One of the legal theories or causes of action that looks promising for anyone suing Sony, et al. for their installation of the DRM root kit code is trespass to chattels. Wikipedia defines Trespass to chattels as:
Trespass to chattels is a tort whereby the infringing party has intentionally (or in Australia negligently) interfered with another person's lawful possession of a chattel. The interference can be any physical contact with the chattel in a quantifiable way, or any dispossession of the chattel (whether by taking it, destroying it, or barring the owner's access to it). As with all intentional torts, it is "actionable per se" so no proof of damage is required.

The origin of the concept comes from the original writ of trespass de bonis asportatis. As in most other forms of trespass, remedy can only be obtained once it is proven that there was direct interference regardless of damage being done, and the infringing party has failed to disprove either negligence or intent.

In some common law countries like the United States and Canada, a remedy for trespass to chattels can only be obtained if the direct interference was sufficiently substantial to amount to dispossession, or alternatively where there had been an injury proximately related to the chattel. (See Restatement (Second) of Torts, 1965.)

Damages from a trespass claim are limited to the actual harm sustained by the plaintiff (which can include economic loss consequent on the trespass - e.g. loss of profit on a damaged chattel). In cases of dispossession, the plaintiff is always entitled to damages if they can prove the dispossession occurred, even if no quantifiable harm can be proven.

Chattels are tangible personal property. Trespass to chattel is then primarily borrowing or utilizing chattels of another without permission. When I was in law school, this was one of those archaic torts that you have to learn about, but never expect to see, since damages are traditionally based on the actual harm done the owner of the chattel by the party trespassing thereof. Thus, if someone steals your bike, you can sue them, but if they don't harm the bike, you probably aren't going to get any damages. But a recent case, Sotelo v. DirectRevenue LLC, No. 05 C 2562 (ND Ill. Aug. 29, 2005), may have changed that.

In Sotelo, the plaintiff sued the defendant for installing spyware on his computer. One of his causes of action (or legal theories) was trespass to chattels. The defendant moved for summary judgement on this claim, and the Court denied. It found sufficient basis for such a claim to allow the case to go forward. Some comments on the case can be found in an article in USA Today by Eric Sinrod, Eric Goldman's Technology & Marketing Law Blog, and an article in freerepublic.com by Ernest_at_the_Beach. Goldman points out that:
The court explains a little more about what constitutes "causing harm" by noting that the plaintiffs allege that spyware:

1) causes significant and cumulative injury to computers
2) interferes with the computer usage
3) slows down the computer
4) uses bandwidth
5) increases "Internet use charges"
6) depletes a computer's memory
7) uses pixels/screen space on monitors [this one is pretty silly]
8) requires more energy because slowed computers must be on longer [also pretty silly]
9) reduces user productivity
10) increases user frustration

In the case of the Sony DRM root kit code, an argument can be made that ##1, 2, 3, 6, 8, 9, and 10 are potentially applicable.

[+/-] show/hide this post

Sony DRM rootkit code (#5)

Legal Buff / ReynenStarfyre on the comment thread at Mark's Sysinternals Blog posts some interesting theories:
This action violates many local and international laws. Lets look at some of the ones mentioned.

DMCA anyone? Whos's the one NOW circumventing security? Wouldn't be grand if the DMCA was used AGAINST the RIAA and associated for the very same thing they are sueing other people for?

By sony installing rootkits they are effectly bypassing any security put in place and IF someone uninstalls it, they can completely screw up their computer.

I know someone in fact has installed this on a government computer that has TIGHT security. How do you think they will feel knowing SONY has willingly put on and changed a ROOTKIT.

Great news for computer repair's across the country. Is SONY going to pick up the tab because THEIR DRM software screwed up the computer?

Also if buy a CD and it doesnt work, fraud anyone? It's very clear if you buy something and it doesnt work, you are entitled to get your money back else it IS considered fraud regardless of any EULAs or store rules.

What is really ironic, I know a senators child who just happened to buy a number of SONY cd's with the DRM. Won't it be interesting when they install it on DADDY's computer.

SONY did you consider what happens when you piss of a senator? You think he is going to be happy to find out out about, and heaven forbid his kid try and remove it. Then he'll REALLY be mad.


This software will be considered spyware under the ASC definition,

The ASC's most recent definition of spyware is:

Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

* Material changes that affect their user experience, privacy, or system security;

* Use of their system resources, including what programs are installed on their computers; and/or
* Collection, use, and distribution of their personal or other sensitive information. - thank you Mellisa


"The Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, makes spyware illegal, but it is unclear if the SPY ACT defines spyware the same way as the ASC.... " - thank you Mellisa


INAL, but this appears to be illegal in the State of California, punishable by a $1000 fine per computer affected.

California Business & Protections Code Section 22947.3, Paragraph C:

A person or entity that is not an authorized user, as defined in Section 22947.1, shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
(c) Prevent, without the authorization of an authorized user, an authorized user's reasonable efforts to block the installation of, or to disable, software, by doing any of the following:
(1) Presenting the authorized user with an option to decline
installation of software with knowledge that, when the option is
selected by the authorized user, the installation nevertheless proceeds.
(2) Falsely representing that software has been disabled.

- Thank you Erik


Computer Misuse Act - UK

Ever think of this one? It may be old but it's broad, however it does cover what is mentioned that they do.


Even if they changed the EULA, it's been proven that the DMCA OVERULES THEM. After all the RIAA has used the DMCA to overrule EULA's before theyby setting a precendence for others to use against them AND thier associates.

I love how they shoot themselves in the foot.

Also as previously stated the rootkit and can used by other programs to future exploit the system. So SONY has thereby placed a method to where others can hack the machine.


I look forward to a class action suit. If nothing else, bad publicity will hurt them more then anything.

Remember the embarassing bypass with a marker anyone?

[+/-] show/hide this post

Sony DRM rootkit code (#4)

A recent post to cyberia-l by Drew Lehman discusses the DRM root kit code:
This was sent to a list for a user group I run. Seems this is the talk of the town everywhere.

After further reading at XCP1 Burn Protect - F4i XCP Aurora , it seems that the prerelease material refers to copies for internal use at the studios and should not be distributed publicly anyway. So, Universal, Warner & EMI are well within their rights to put this stuff on CDs that should only ever be run on their own systems.

*Where is XCP being used?*

XCP1 and XCP Red technology is being used by all four of the major Record Labels for the protection of pre release music on internal CDRs. Albums from some of the best known artists have been successfully copy protected in this way to reduce the occurrence of leaks prior to release.

*The Financial Cost Of Pre Release Leaks*

Record Labels regularly suffer the financial consequences of leaked pre release music when internal or promotional CDRs are wrongfully copied and distributed prior to the commercial release date. Many Record Labels are now analysing the effect on sales of new release album sales. Not surprisingly those albums that are successfully protected prior to commercial release achieve significantly higher sales revenue in the first two weeks than those that are not.

It appears that only Sony has taken the slimy dishonest and, most likely, illegal route of allowing this to be installed on their customers' systems. At least so far. The others were probably waiting in the wings to see how far Sony got and whether they would be caught. I wouldn't be surprised if they all agreed to underwrite Sony's legal defense, in return for Sony playing the role of the test rabbit.

So according to this, originally the DRM root kit code was developed to prevent illegal distribution of pre-release music. It appears that other music companies, including Universal Music Group, Warner Music Group, and EMI are still utilizing it for that purpose. Only Sony has apparently started shipping it with publically released music.

[+/-] show/hide this post

Sony DRM rootkit code (#3)

Last night on cyberia-l, I suggested a class action suit against Sony for the damage done by the installation of their DRM root kit code. Someone asked for potential causes of action (i.e. legal theories). Carol Ruth Shepherd of Arborlaw Associates PLLC suggested the following:
You would have most of the same causes of action alleged in the Sotelo v DirectRevenue case in Chicago--trespass to chattels, consumer fraud, negligence and computer tampering.

Consumer fraud is almost always going to be claimed, under the various state "little FTC" laws, because in most states a violation of the consumer protection statute provides for attorneys' fees and in many cases also provides treble damages (Michigan is one such state). That starts making litigation look economically feasible.

Sotelo is a case about spyware companies gathering info to facilitate directed advertising, where the raison d'etre for the software is to generate third-party advertising revenue for the spyware distributor when the software beams personal browsing data back to the mother ship. That's definitely unjust enrichment in my book--hey, my data must be valuable, because people keep selling it and paying each other lots of money to buy it!!!

I think it will be interesting to see if the common-law right to privacy and right to publicity laws change--used to be, you had to make a living at your celebrity, to get compensation for unjust enrichment through the use of your "identity". So, Dustin Hoffman gets $100K for having his face photoshopped onto a billboard in L.A. that features a mature woman dressed up a la Tootsie. If legislatures pass legislation that removes the presumption that you have to be a celebrity to get paid for use of your identity for money, then a lot of us start getting micropayments...of course, this scenario destroys the entire data mining industry, which some people would consider to be a Bad Thing.

With regard to Sony--their "spyware" is DRM software, correct? They at least can claim this is a legitimate activity--protection of copyrighted material under the DMCA.

So here's the really interesting question: whether DMCA anti-circumvention law federally preempts the computer owner's right to (a) remove something installed without his permission on his own computer, (b) sue Sony for trespass to chattels, consumer fraud, negligence and/or computer tampering.

Greg Broiles asks:
I wonder if this is a violation of CA's new anti-spyware legislation, at CA Business & Professions Code section 22947 et seq, specifically
22947.4 ..

"22947.4. (a) A person or entity, who is not an authorized user, as defined in Section 22947.1, shall not do any of the following with regard to the computer of a consumer in this state:
(1) Induce an authorized user to install a software component onto the computer by intentionally misrepresenting that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content.
(2) Deceptively causing the copying and execution on the computer of a computer software component with the intent of causing an authorized user to use the component in a way that violates any other
provision of this section. [...]"

[+/-] show/hide this post

Sony DRM rootkit code (#2)

Things are picking up a bit with the Sony Digital Rights Management (DRM) Root Kit code situation. Glenn Reynolds at Instapundit.com, one of the top blog sites, had a link to whizbangblog on the subject. Also, back on Mark's Sysinternals Blog, where I first saw this last night, one poster commenting there is already trolling for class action legal business:
We would be interested in speaking to any California residents that have experienced this problem before the EULA was changed. We have looked at many DRM cases and Sony went too far with this particular scheme. You can contact us at gw@classcounsel.com.

[+/-] show/hide this post

Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far

It appears that Sony, one of the biggest companies in the world, has potentially made a huge mistake legally. They are apparently installing Root Kit level Digitial Rights Management (DRM) software when people buy their music and try to play it on their computers. A Root Kit is defined by Wikipedia as: "...a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes." They then go on to describe two types of root kits, user level and kernel level. The Sony DRM code is kernel level. Among other things, it does Windows system call hooking - which means that it diverts certain system calls to its own ends. It also apparently runs every two seconds, querying about the executables for all the then running processes. It also fairly effectively hides itself by cloaking itself and hiding directories.

I should note that the author of the above cited article thinks that the system call hooking potentially opens up some timing windows in Windows. In other words, it is fairly crudely done and introduces potential instability into Windows systems in which the DRM software is installed.

Originally, the Sony End User Licensing Agreement (EULA) apparently didn't even mention the installation of the software. It was modified to do so last night. However, the modifications don't go nearly far enough, esp. when suggesting that you could uninstall the software if you didn't like it - despite not including uninstall software in the first place. Also, if you uninstall yourself, your CD player becomes inoperative.

Posters to that blog entry point out that the Sony DRM software more than likely violates the laws of numerous countries, and, here in the U.S., the laws of several states. Also, the company could be liable to its customers under any number of legal theories, including trespass to chattels (a case came down a week or so ago accepting this theory).

[+/-] show/hide this post