Sony CD's install spyware?

[Gwarsbane]

Did you actually think it would have stopped by now? ya right...

http://blogs.washingtonpost.com/securityfix/

Posted at 06:35 PM ET, 11/ 8/2005
Calif. Lawsuit Targets Sony

A class-action lawsuit has been filed on behalf of California consumers who may have been harmed by anti-piracy software installed by some Sony music CDs. A second, nationwide class-action lawsuit is expected to be filed against Sony in a New York court on Wednesday seeking relief for all U.S. consumers who have purchased any of the 20 music CDs in question.

Experts say the Sony CDs use virus-like techniques to install digital rights management software on computers. Windows users cannot listen to the protected CDs on their computers without first installing the software, which hides itself on the users' system and cannot be uninstalled by conventional removal methods.

The California lawsuit, filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, Calif., attorney Alan Himmelfarb, asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them.

The suit alleges that Sony's software violates at least three California statutes, including the "Consumer Legal Remedies Act," which governs unfair and/or deceptive trade acts; and the "Consumer Protection against Computer Spyware Act," which prohibits -- among other things -- software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The suit also alleges that Sony's actions violate the California Unfair Competition law, which allows public prosecutors and private citizens to file lawsuits to protect businesses and consumers from unfair business practices.

Himmelfarb was on a plane at the time of this writing and could not be reached for comment.  But a court-stamped copy of the lawsuit he filed is online here (PDF).

Scott Kamber, an attorney in New York, said he plans on Wednesday to file class-action suits targeting Sony under both New York consumer protection statutes and a federal criminal statute that allows civil actions.

"This situation is particularly egregious and surprising from a company that should be familiar with concerns people have with programs crashing their Windows computers," Kamber said. "What Sony is saying with this software is that 'Our intellectual property is more deserving of protection than your intellectual property,' and Sony can't be allowed to get away with that."

Sony spokesman John McKay declined to comment on the suits.

I wouldn't be surprised if other lawyers and law firms around the country are also preparing to file similar suits.

As I wrote in a story last week, "Sony's move is the latest effort by the entertainment companies to rely on controversial 'digital rights management' (DRM) technologies to reverse a steady drop in sales that the industry attributes in large part to piracy facilitated by online music and movie file-sharing networks like Kazaa and Limewire."

Experts who studied the Sony program said it has a built-in file-cloaking feature that could also be used by attackers to hide viruses and other files on a user's computer, and that conventional means of removing the anti-piracy software renders the user's CD-Rom drive inoperable.

In response to public criticism over the invasiveness of the software, Sony last week made available on its Web site a "patch" that would prevent its software files from hiding on the user's system. But according to further research by a variety of security experts, that patch can lead to a crashed system and data loss.

Lots of links to click in the above

Posted at 10:05 AM ET, 11/10/2005
Sony's Attitude Has a History
A Security Fix reader with an excellent memory (thanks, Patrick) reminded me today of a few choice words spoken nearly five years ago by Sony Corp. chief executive Howard Stringer that eerily foreshadowed the controversial soup that Sony BMG now finds itself mired in over the invasiveness of its anti-piracy technology.

Cue the spooky music and the wavy screen, and we'll take you way back in Internet time to March of 2001, to a confab of technology industry titans dubbed the "Silicon Summit II." Among the items up for discussion at the time was what to do about Napster (this was back in the Stone Age of the Internet, before the entertainment industry succeeded in scuttling the file-sharing service, only to see the concept rise from the ashes and multiply).

I tried to find a transcript of this particular roundtable, but MSNBC -- which hosted it -- has since moved the hyperlink, so a snippet from this ZDNet story (there is no author listed) will have to suffice.

"The panelists then talked about the controversial song-swapping service Napster and the need to find a way for people to download music over the Internet in a way that enables the artists to get paid for their work....

Sony CEO Howard Stringer, who kept the audience laughing throughout the night with a battery of quips, said, “Right now it would be possible for us, and I’ve often thought it would cheer me up to do it, you could dispatch a virus to anybody whose files contain us or Columbia records, and make them listen to four hours of Yanni ... but in the end we’re going to have to get serious about encryption and digital-rights management and watermarking.”

A student in the audience then put Stringer on the spot, telling him he had recently bought a portable digital music player made by Sony that makes it easy to download songs from the Internet. Isn’t it hypocritical of Sony, he asked, to be fighting Napster from its music division and then supporting it by making such devices?

Calling the student’s question a good one, Stringer replied, “At some point, we work it out as we go along. But if we don’t stay in the business, someone else will do it. And there’s a real danger with the margins of consumer electronics companies that Singapore and Korea and so forth will design the machines. So we play defense on the one hand and offense on the other hand. And if it seems a little illogical it’s only defending our turf.”

Fast-forward to Nov. 4, 2005, when Thomas Hesse, president of Sony's Global Digital Business was interviewed on National Public Radio's Morning Edition, and said of complaints that Sony's anti-piracy software behaved exactly like a rootkit:

"Most people, I think, don’t even know what a rootkit is, so why should they care about it?"

Small wonder, then, that class-action lawyers are starting to circle Sony's wagon train. Can anyone at Sony really be scratching their heads as to why there is so much public outrage and indignation over this entire anti-piracy escapade? The offhand, flippant remarks of Sony's senior leadership speaks volumes about the company's attitude toward the rights of their customers.

Again lots of links in the above. In this posting I think one of my favorite lines is...

"Most people, I think, don’t even know what a rootkit is, so why should they care about it?"

This comes of Thomas Hesse, president of Sony's Global Digital Business. The guy sure seems like a moron to do. Why should they care about it??? I'll tell you why because it opens up their computer to lots of illegal and dangerious stuff. At least there are more and more people out there that are looking out for the ones that don't know anything about this stuff (or think DRM is good) and trying to teach those people that stuff like this is VERY VERY bad.