The whole notion of this somehow leading to bankruptcy for Sony is whack anyway. Even in the worst-case scenario, we're talking about Sony-BMG here, not Sony itself. Rob Enderle just clearly doesn't know what he's talking about by pondering the 'end-game' scenario for Sony as a whole. There's not some path of unlimited liability here that I can see going anywhere beyond Sony-BMG.
Analyst anticipates future bankruptcy for Sony
- Thread starter Avon_Implosion
- Start date
AlphaWolf said:
A P2P filesharing program is a security vulnerability, as is MS Outlook. Where do you want to draw the line is the question? Any program which enables external data to move into the system is a potential security vulnerability, this is nothing new.
AlphaWolf said:
It's stated in the EULA and you can protect yourself, don't use it. You're turning what is a position applicable to a broad spectrum of programs and applications into some Orwellian scheme to control and undermine users security. It's utter bullshit, it's a DRM code which was designed by a 3rd party and which, when manipulated, can cause problems. Hell, Outlook and Windows itself are programs which, when manipulated, can cause problems. Again, where do you want to draw the line is what it comes down to: Do we screw companies which provide a legit service or do we crackdown on the ways in which people can manipulate and create these problems?
It's not like Sony was selling this with malicious intent, just like many of Microsoft's products which are infamous conduits for exploits and identity theft... they shouldn't be to blame for other's abuse.
The article's overboard, but now is about the worst time for Sony to be associated with this kind of stuff. They're close to launching two things which they are very dependent on: PS3 and Blu-Ray. To have either one stunted by association with this would be quite bad for them.
Vince said:
If you can address any of the meat of my argument feel free to post, if not don't bother to post. I am not going to be drawn into some tangent argument.
Prove it.
There are differences here that you are clearly not seeing. The rootkit does exactly what it was designed to do, it clearly is not an error.
Vince said:
There is a difference between software that has a unintended bug, and software that has both serious bugs and is also obviously attempting to subvert the OS in a manner that no trustworthy software should.
Speaking personally, and from Mark Russinovich's detailed analysis, Sony's DRM driver:
1. Has several serious bugs in it that can cause both an unrecoverable system and damage Windows itself.
- The driver fails to perform basic parameter validation. This renders the OS vulnerable to crashes from user mode bugs as simple as forgetting to null terminate a string passed down from a user mode API.
- The driver has several race conditions and patches the OS's service dispatch table in an unsafe manner that can result in system crashes when the driver is unloaded.
- The driver registers itself in a manner that prevents Safe Mode from working correctly should there be a bug in the driver itself which prevents the OS from booting.
- The software consumes significant processor time even when the DRM protected material is not being played.
- The driver has several race conditions and patches the OS's service dispatch table in an unsafe manner that can result in system crashes when the driver is unloaded.
- The driver registers itself in a manner that prevents Safe Mode from working correctly should there be a bug in the driver itself which prevents the OS from booting.
- The software consumes significant processor time even when the DRM protected material is not being played.
2. The rootkit modifes the operating system in an throughly undocumented and unsafe manner that no legitimate software (that is not used for debugging and software development) would need.
- The installed software masks any file or registry key prefixed with $sys$ from the user. It does not bother to check who's files it is masking, so anyone can use the filter to fool the OS and bypass any firewall, antivirus, or antispyware protection software present on the system.
- The installed software patches the operating system's service dispatch table, which allows it to hijack kernel interfaces with its own versions. There is NO legitimate reason (other than software development or debugging) to do this, and this is a highly unsupported and dangerous technique. Microsoft has discouraged this in the past and x64 Windows ships with protection to deter this technique.
- The installed software patches the operating system's service dispatch table, which allows it to hijack kernel interfaces with its own versions. There is NO legitimate reason (other than software development or debugging) to do this, and this is a highly unsupported and dangerous technique. Microsoft has discouraged this in the past and x64 Windows ships with protection to deter this technique.
3. It does this without providing any uninstall facility.
- Sony has offered an unmasking utility which removes the filter driver, and recently, finally offered a complete uninstaller after considerable public pressure.
- But users must jump through hoops to obtain the unninstaller:
- But users must jump through hoops to obtain the unninstaller:
a. it requires the installation of an ActiveX control into IE, which is in of itself a security risk. A flawed ActiveX control can easily introduce further security holes into IE.
b. disclosure of personal information to Sony (which is then subject to further use via the standard privacy disclosure terms on the web site).
c. it only works on the machine where the user requested the uninstaller.
d. expires after 10 days.
b. disclosure of personal information to Sony (which is then subject to further use via the standard privacy disclosure terms on the web site).
c. it only works on the machine where the user requested the uninstaller.
d. expires after 10 days.
4. The EULA is unclear as to the extent of the modifications to your system. It also implies the software is uninstallable, which it was not.
Sony EULA said:
It also promises not to collect any personal information.
Sony EULA said:
Analysis of the software's network traffic reveals that it does in fact phone home each time the CD is played, and does not ask for permission first, nor does it offer the user a way to turn this behavior off.
5. Sony's behavior since the rootkit software was discovered is nothing short of disgusting.
http://www.npr.org/templates/story/story.php?storyId=4989260
Thomas Hesse said:
Vince said:
It absolutely is Orwellian, and it absolutely does undermine the security of your system.
Any kernel mode software which allows any other software to hide files from the OS and the user is a serious security hole.
Any kernel mode software which does not perform basic parameter validation potentially allows buffer overflows and denial of service attacks into the kernel. This is a serious security hole.
Vince said:
Regardless of intent, it is Sony's responsibilty to make a good faith attempt to vet what they are shipping to their customers.
It is clear to me that not only did Sony not make any serious attempt to verify that what First4Internet was selling to them was an ethical and trustworthy piece of software, but they actively support what First4Internet is doing.
Sony is a reputable company, and it is their reputation which is going to be damaged because of things like this.
Last edited by a moderator:
aaaaa00 said:
Sony-BMG's behavior, Sony-BMG's...
And I agree it has been severely lacking.
But I really feel that all references to Sony in this thread should be changed to references of Sony-BMG; it's an extremely important legal seperation. It's not that Sony's reputation won't be affected regardless, or that Sony itself is a saintly company by any stretch, but in terms of this act we should at least on this board recognize that the malfeasance lies with Sony-BMG and not with Sony proper.
ihamoitc2005
Veteran
No Permission
When people buy Windows PC, it is understood that virus attacks can happen no?
However, Sony got no permission to install hidden files on private consumer owned computer. So not only installation of files by Sony is wrong, but Sony is also responsible for additional new system vulnerability caused by illegally installed software.
Each such CD must say "playing CD will cause software x to be installed in your computer and this software might enable security vulnerability do you want to continue". This way consumer accepts responsibility for this risk.
Secret installation without permission is illegal. No one can legally make changes to privately owned product without permission.
Microsoft is very bad with customer privacy and it is bad that Sony was also doing this. It is good they have stopped.
Go to these sites for information and help with this type of hidden file removal:
http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.first4drm.html
http://cp.sonybmg.com/xcp/english/updates.html
Vince said:
When people buy Windows PC, it is understood that virus attacks can happen no?
However, Sony got no permission to install hidden files on private consumer owned computer. So not only installation of files by Sony is wrong, but Sony is also responsible for additional new system vulnerability caused by illegally installed software.
Each such CD must say "playing CD will cause software x to be installed in your computer and this software might enable security vulnerability do you want to continue". This way consumer accepts responsibility for this risk.
Secret installation without permission is illegal. No one can legally make changes to privately owned product without permission.
Microsoft is very bad with customer privacy and it is bad that Sony was also doing this. It is good they have stopped.
Go to these sites for information and help with this type of hidden file removal:
http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.first4drm.html
http://cp.sonybmg.com/xcp/english/updates.html
As I understand it Sony aren't the only people implementing rootkits. Though their underhanded use of it for DRM is bang out of order (and interestingly AFAIK no-one has yet managed to make an unsigned EULA stand up in a UK court so they can't do whatever they want and have a post-purchase agreement be legally binding...hence the reason Sony's rootkit isn't included on UK CDs from what i hear) it's the rootkit concept that's dodgy. I don't see a rootkit exploited by virus writers being any different conceptually to an OS without a firewall and every port open that can be exploited by hackers. It's not the intention to allow hackers but it happens as a result of one's action/inaction.
I hope the upshot of this is a huge backlash against DRM, plus proper rootkit detection and removal software to add to one's alrady cluttered collection of anti-malware software
And regards Sony going bankrupt, other companies have done far worse and survived.
Heh. I wonder if in truth Sony wanted to install this software to crash out a load of Windows amchines once their Cell Linux alternative was in place as a secure alternative?
I hope the upshot of this is a huge backlash against DRM, plus proper rootkit detection and removal software to add to one's alrady cluttered collection of anti-malware software
And regards Sony going bankrupt, other companies have done far worse and survived.
Heh. I wonder if in truth Sony wanted to install this software to crash out a load of Windows amchines once their Cell Linux alternative was in place as a secure alternative?
xbdestroya said:
everyone will just say Sony, its shorter.... and Sony BMG _IS_ partof Sony, so i dont see whats the big difference....
as for going bankrupt... i doubt it, but this might kill their sales, their image and get them to pay shitloads of money after lawsuits are over....
with so many lawsuits starting, this will be covered for long time.... and every time more people will make little reminder "Sony == bad".... it wont kill them, but it is PR disaster...
Shifty Geezer said:
OS without firewall and every port open isnt the same as installing malicious software on computer. Here is simple example -> computer that is not conncted to internet, in that case you dont have to worry about getting infected via internet, but playing Sony CD will install rootkit that is eating your CPU resources even when you are not playing their music, that can crash your OS and finally that can make your CD ROM useless if you try to uninstall it.
This is what i call BIG DIFFERENCE
Shifty Geezer said:I hope the upshot of this is a huge backlash against DRM, plus proper rootkit detection and removal software to add to one's alrady cluttered collection of anti-malware software
And regards Sony going bankrupt, other companies have done far worse and survived.
Heh. I wonder if in truth Sony wanted to install this software to crash out a load of Windows amchines once their Cell Linux alternative was in place as a secure alternative?
as for DRM, i agree. but i doubt they wanted to crash Win machines... cause if that was intention and someone digs up proof, they would be axed in court.....
Bouncing Zabaglione Bros.
Legend
silence said:
It's run as a separate company. You could sue Sony-BMG out of existence, and it wouldn't affect Sony Electronics or Sony AV or Sony Holdings, etc.
silence said:
That certainly might be true.
Shifty Geezer said:
Yikes. The two situations are in no way similar.
An OS without a firewall and every port open can be exploited because there are might be unintentional bugs or specific features that were never intended to be robust against attack. An OS is benign: its purpose is to run your apps.
A rootkit is designed specifically to subvert the OS running on the machine and hide things an attacker doesn't want the administrator to find. A rootkit is malevolent: its only purpose is to let an attacker take and keep covert control of your machine.
The fact that this particular rookit allows anyone to use it, as opposed to just the attacker, just makes it worse.
There is a HUGE difference between the two situations.
Last edited by a moderator:
Bouncing Zabaglione Bros. said:
Yap, but is owned by Sony and in today's world image is sometimes more important then product. So, even if all reporters and headlines state "Sony-BMG", 99% of people will forget last part. Check my topic about the issue. We were all discussing Sony and many stated that they wont buy anything Sony any time soon.... me first
As i said, this is PR disaster for entire Sony, cause as mainstream media picks it up (and they are rolling stories daily) most people, which are acctually clueless what this is all about, will simply read "Sony opened PCs for hackers and viruses" or even more simple "Sony screwed its customers".....
Those 3 letters on the end wont make much of difference for 99% of people. (heh, i was looking to buy new cell phone and there were some Sony-Ericssons models there and i just said "no way i am buying those".... prolly stupid, but i think consumers should teach them a lesson
)here.... BBC story..... http://news.bbc.co.uk/1/hi/technology/4430608.stm
Last edited by a moderator:
K.I.L.E.R said:I dare a mod to stick this thread into the console forum.
I think it's silly to say that Sony will go bankrupt anytime in the near future.
It's like saying Microsoft will go bankrupt because FireFox stole 10% of IE's market share.
This actually started in consoles and was moved out.
silence said:Yap, but is owned by Sony and in today's world image is sometimes more important then product. So, even if all reporters and headlines state "Sony-BMG", 99% of people will forget last part. Check my topic about the issue. We were all discussing Sony and many stated that they wont buy anything Sony any time soon.... me first
Well, it's 50% owned by Sony, 50% owned by Bertelsman. The stake is an equity stake, so it's not the same situation as Sony and SCE, or Sony and their electronics division. It's more akin to SonyEricsson, another joint venture in which the ownership is 50% equity. And for some reason I feel that if it were SonyEricsson - and I don't know exactly why - people wouldn't be calling it Sony for short, they'd be giving it the full SE.
Anyway yes, potential for PR disaster.