Network News

X My Profile
View More Activity

Yet Another Sony Flaw Found

When it rains, it pours. Researchers at Atlanta-based Internet Security Systems Inc. say they've uncovered yet another security flaw in Sony BMG's anti-piracy software that attackers could exploit to take total control over any vulnerable machine.

The discovery was made by ISS's X-Force Research and Development team, but the advisory just issued is a bit light on details, such as whether the company managed to develop an exploit for the flaw.

This comes on the same day that researchers at Princeton said they found that a security patch Sony issued to remove the most dangerous portions of its anti-piracy software actually introduces new security flaws that allow any Web site to install any software on computers that have been outfitted with the patch.

By Brian Krebs  |  November 15, 2005; 3:49 PM ET
Categories:  Latest Warnings , Piracy  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Researcher: Sony DRM on Half a Million Networks
Next: Removing Sony's Software? Not Quite

Comments

Obviously making a mockery of US law is easier than beating the Law of Unintended Consequences.

Posted by: GTexas | November 15, 2005 4:25 PM | Report abuse

Can you say class action law-suit...

Posted by: Anonymous | November 15, 2005 9:08 PM | Report abuse

As this whole Sony issue becomes more widely publicised and mainstream (something which seems unavoidable given the extent of the damage and the number of stuff-ups) there is potentially one big positive that may come out of Sony's mess.
That is the end of copy protection schemes on CDs. Ater all what sort of idiot is ever again going to purchase a labelled copy protected CD if they intend on using it on their computer. You obviously can't trust the music companies to not install dangerous programs on you computer, so the only option is to not buy copy protected CDs.

Posted by: Positive Outcomes | November 16, 2005 12:30 AM | Report abuse

It amazes me that Sony should make such a mess, but there is simple solution to the whole copy protection fiasco: don't use entertainment CDs and DVDs on your computer. There are plenty of standalone players available that don't need protection from hackers and can do the job, and nowadays they are dirt cheap. Don't put your personal or business data at risk from these incompetents.

Posted by: Astounded | November 16, 2005 9:26 AM | Report abuse

There is advantage in being a computer illiterate like me.
I don't use them things, and I promise not to buy another Sony product!

Posted by: Joe | November 16, 2005 11:04 AM | Report abuse

While I agree this might bring to an end copy protection, at least copy protection that is actually MENTIONED, but I would not be surprised to see some copy protection scheme secretly placed on CDs. Why not?

Perhaps in the end, the American sheep will see the results of the DRM act and demand a change in the law. I doubt seriously that a class action law suit would be successful under the provisions of the DRM. After all, when you bought the CD you signed all of your rights away, that is what the DRM does.

Posted by: Red Rat | November 16, 2005 12:00 PM | Report abuse

I noticed a review of Neil Diamond's latest in todays Post.

This is one of the CD's that is listed as having this DRM software. Shouldn't the review mention this? Not that it should dominate the discussion, but if the reviewer wrote the article at the Post's Office, and referenced it there by playing it on their computer, could that violate the EULA?

And infect that computer?

Posted by: Keith | November 16, 2005 12:24 PM | Report abuse

Isn't installing Trojan Horse programs on someone else's computer called "Unauthorized Use of a Computer", which is a felony crime under Federal law?
Sony's surreptitious acts are not qualitatively different from a vandal who breaks into other people's computers and damages things or steals information.

Posted by: orange | November 16, 2005 2:59 PM | Report abuse

I echo the comments of Joe:

"I don't use them things, and I promise not to buy another Sony product!"

I would like to be able to buy products with brief and reasonable EULAs.

I would like to make the consequences inversely proportional to the damage (AT&T overcharged me for phone calls--probably also overcharging millions of people who did not notice--and when I protested, offered to refund me the $3.27.

The origin of copyright law was to make artistic creation feasible for an individual, not profitable for a multi-billion dollar corporation.

Don't buy Sony products. Don't copy artists' creations without sending them ten times as much money than Sony would have.

Posted by: Bill | November 16, 2005 7:16 PM | Report abuse

I am working on my PhD in Applied Irony.

Sony builds and deploys rootkits in order to get you to register for "uninstallers" that don't uninstall the programs, but rather tell you they are there for sure. This unhides the open source software they inadvertently compiled into the software without permission of the original authors.

Sony does this in order to "help protect" Celine Dion from her fans.

The fans like the music but not the player that is installed. They can pop out the music by Ms. Dion at any time by pressing the CD eject, but they can never eject the player they don't like.

Sony is strongly anti-piracy. Pirates love the CD, but they don't all like Celine or her music. They do like cloaking software that is sold for $10 though, and turns out that it may even be a federal offence for them to remove it. So, they may as well "live with it". It helps them play World of Warcraft more efficiently, and lets them run any program without being found.

So, they use it to run pirated copies of Sony's recorder software at the same time as they listen to Ms. Dions music, and make wonderful copies of each without any chance of detection. If they are detected, wouldn't it mean that the original software created by Sony is defective? Its intent was to hide instances of running software, so they might possibly sue Sony at that time.

Federal laws protect Sony though, since Sony needs digital rights management. Pirates also need this to protect their own personal creativity, such as the garage band that plays on garbage cans, recorded live to tape deck, converted to CD, and burned as their "Greatest Hits" album. Then they distribute that with their newest worms, trojans, and rootkits (this one stolen from Sony ... think they would ever want to bring this subject back up again?) but instead they call it "Digital Rights Management". Now they too have protection under the law.

The parties involved seem to be the federal courts who protect digital rights to absurd limits, corporations who take the rights to absurd limits, and pirates who seem to have no limits. All of this is at the expense of consumers. We pay with our privacy, computers, time, money, and sanity. Once we don't have those any more, at least we won't need CD's. That's when the prices of Celine's next album will go up, because the cost of piracy must always be passed on to the consumer. It's only fair.

The only difference I see between the laws, the corporations, and the pirates are that the pirates are competent. They are efficient (fast deployment of "upgrades" to take full advantage of your new "software" from your "friends" at Sony), and they are successful. They keep their costs down. When was the last time they raised their prices?

When do I graduate?

Posted by: THaman | November 17, 2005 12:21 AM | Report abuse

Maybe its about time that we all stand up and fight back by getting our music and movies the good old fashioned way.....

P2P = OVER THE ILLEGAL INTERNET = AT least you don't get a SONY INDUCED SLIMEBUG ILLEGALLY INSTALLED ON VICTIMS COMPUTERS....
BUT then the RIAA will be so dissappointed in that move.... They want you to be responsible good people and fall prey to being LEGAL and cope with SONY and others anti copy protection schemes that wreck havac on poor unsuspecting comsumers computers....

Posted by: JERRY K | December 1, 2005 2:13 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company