Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sony Warned Weeks Ahead of Rootkit Flap

Zonk posted more than 8 years ago | from the going-a-little-slowly dept.

Security 335

pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."

Sorry! There are no comments related to the filter you selected.

So corporations still lie.... (4, Insightful)

MaskedSlacker (911878) | more than 8 years ago | (#14139610)

So Sony was lying its collective arse off when saying it reacted as quickly as it could? This is news how?

Another possibility exists... (5, Insightful)

bigtallmofo (695287) | more than 8 years ago | (#14139635)

So Sony was lying its collective arse off when saying it reacted as quickly as it could?

That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent.

Re:Another possibility exists... (4, Funny)

Vengeance (46019) | more than 8 years ago | (#14139671)

That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent. OK, OK, let's keep politics out of this discussion.

Re:Another possibility exists... (3, Insightful)

MaskedSlacker (911878) | more than 8 years ago | (#14139679)

True, and you should never ascribe to malice that which can be explained by incompetence. Though in fun world of corporations, the two seem to go hand in hand.

Re:Another possibility exists... (3, Insightful)

HTL2001 (836298) | more than 8 years ago | (#14139833)

not so much hand-in-hand as that incompitence is used as an excuse.

which is rediculus because ignorance is NOT (supposed to be) a viable defense in legal actions. I see so many people say "sony probably didn't know blah blah blah" but the truth is, they are responsable for it, so they should make it their duty to know. And if they don't, its (supposed to be) law that they be held accountable.

However, ignorance seems to get you a pass if it involves technology, <sarcasm>since no-one can possably understand that stuff anyway, except for the hackers that exploit it</sarcasm>

Re:Another possibility exists... (1)

oopsdude (906146) | more than 8 years ago | (#14139827)

That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent.

Never attribute to malice what can be attributed to by incompetence - Some Dead Guy.

Re:Another possibility exists... (1)

johnos (109351) | more than 8 years ago | (#14139975)

"Never ascribe to malice that which can be explained by stupidity"
Wise words indeed.

Re:So corporations still lie.... (1)

TubeSteak (669689) | more than 8 years ago | (#14139670)

After this revelation... It was as if millions of geeks cried out in terror and were suddenyl silenced^H^H^H^H^H^H^H^Hvindicated

Re:So corporations still lie.... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14139857)

I suspect that they were reacting as quickly as they could. After all, they were trying to develop a patch, and those things take time. Of course, without disclosure, they probably would have made the patch change the secret word from $sys$ to $sis$. After the disclosure, their hand was forced, and they had to change their plans and release an "uninstall" that installed other spyware as well as turned off IE security settings for ActiveX controls.

What a load (5, Insightful)

Microlith (54737) | more than 8 years ago | (#14139628)

Scramble? To contain the crisis?

They almost never admitted what they had done, and continually denied the dangers posed by this rootkit.

They only started the recall after people pointed out repeatedly that their "uninstaller" didn't, and recieved criticism from the government.

"as quickly as they could" my ass.

Of course, they could have been smarter and never released it to begin with.

Sony made a rootkit? (5, Funny)

Winckle (870180) | more than 8 years ago | (#14139630)

Why didn't Slashdot tell us before?!

Re:Sony made a rootkit? (1)

Vengeance (46019) | more than 8 years ago | (#14139640)

It's the new anti-dupe filter. Someone added an extra exclamation point, and no new stories can make it through anymore.

Re:Sony made a rootkit? (2, Informative)

gg3po (724025) | more than 8 years ago | (#14139739)

Surely you jest...

...and that doesn't even count all the Slashbacks. Maybe you should consider adding a </sarcasm> tag :-) . I must admit, however, that this is one case where I don't mind the repeated updates. I hope Sony isn't allowed to forget what they did. This will make an example of them to anyone considering such tactics in the future.

Re:Sony made a rootkit? (3, Funny)

Anonymous Coward | more than 8 years ago | (#14139778)

Why didn't Slashdot tell us before?!

You're reading on a Vaio, in which case you won't be able to see any stories containing the sequence $sys$

Re:Sony made a rootkit? (0)

Anonymous Coward | more than 8 years ago | (#14139838)

+1 funny on parent please?

Re:Sony made a rootkit? (1)

octaene (171858) | more than 8 years ago | (#14139958)

The sad thing is, another record company is bound to make the exact same mistake. Nobody will learn from this snafu and consumers will be once more negatively affected.

Proves public disclosure is the best for security (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14139632)

Until a security hole is widely published (not privately communicated) it's very likely to continue spreading unchecked.


I think this is great evidence that early public disclosure is very important. At the minimum, the affected users can start using workarounds (turn off insecure systems) until fixes are available.

Re:Proves public disclosure is the best for securi (4, Insightful)

Concerned Onlooker (473481) | more than 8 years ago | (#14139781)

Until a security hole is widely published

I don't think this was a security hole so much as breaking and entering. I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.

Re:Proves public disclosure is the best for securi (0)

Anonymous Coward | more than 8 years ago | (#14139911)

Exactly and because sony did not publically apologize and do everything in their power to fix it My self and many others will never EVER buy another sony product again.

I do not care about the PSP or audio or TV or whatever are seperate. the main corperate management are to blame here and because they are untrustable I will forever boycott them until they issue a public apology to everyone on the planet admitting to the underhanded BS they tried to pull.

I.E. they never will.

Re:Proves public disclosure is the best for securi (1)

pdschmid (916837) | more than 8 years ago | (#14139847)

It depends how serious the affected company is about security. I like the idea of having a patch available concurrent with the disclosure of a threat. In this case Sony was trying to cover up its illegal doings, so they had no real interest in patching. I doubt that F-Secure would have let Sony get away with this for much longer.

Can't trust the company. (2, Insightful)

Descalzo (898339) | more than 8 years ago | (#14140009)

Actually, it is my firm belief that you CAN trust a successful company to do things that are in their best interests. Clearly, they seem to think that customer ignorance is good for business. Why would they think that? Perhaps we have trained them to think that. The real lessons here are:
Be proactive.
Watch out for yourself.
The only way to get a corporation to look out for your best interests is to convince it (remind it?) that your interests are their interests (happy customers!).
Make your interests clear by voting with your wallet. Is there a company out there that tries to fix security holes before the customer knows about them? If so, buy your products from them.

As I wrote that last bit, it occurred to me: perhaps leaving the security-hole-finding business up to the customer base is good business sense because it works and is cheaper than hiring your own security-hole-finders. I guess that brings us back to the proactive list.

In short, I agree totally with your post.

Thats what happens... (5, Funny)

Anonymous Coward | more than 8 years ago | (#14139633)

...when a company becomes bigger than its customer base.

They shouldn't have recalled the CDs (5, Funny)

Pac (9516) | more than 8 years ago | (#14139642)

Van Zant, Celine Dion, and Neil Diamond

They should have left the rootkit in place so we could download some good music directly to these misguided buyers' hard drives.

Re:They shouldn't have recalled the CDs (1)

southpolesammy (150094) | more than 8 years ago | (#14139694)

No technical solution exists to correct the lack of taste of the potential buyers of these CDs. Even Orrin Hatch's PC Bomb isn't sufficient.

Re:They shouldn't have recalled the CDs (0, Troll)

masklinn (823351) | more than 8 years ago | (#14139715)

I found out that emptying a full clip in the buyer's face does wonders to his musical tastes

Re:They shouldn't have recalled the CDs (1)

1_brown_mouse (160511) | more than 8 years ago | (#14139830)

Make them all have Heavy Metal bouncing around in their heads?

Re:They shouldn't have recalled the CDs (3, Funny)

jx100 (453615) | more than 8 years ago | (#14139937)

They suddenly like gangsta rap?

Re:They shouldn't have recalled the CDs (4, Funny)

Bin_jammin (684517) | more than 8 years ago | (#14139752)

Wouldn't that be an upload?

Re:They shouldn't have recalled the CDs (0, Troll)

Delphiki (646425) | more than 8 years ago | (#14139792)

Wow, I'm intrigued by your brilliant musical insights. Even though you can't download it to their hard drives, you should at least start a newsletter, to tell everyone why the music they like sucks and why they should listen to what you tell them to instead.

Re:They shouldn't have recalled the CDs (1)

EnderWiggin99 (84576) | more than 8 years ago | (#14139983)

In line with parent, hone your skills. There will be some openings at Sony Music fairly soon I wager.

But they wouldn't listen (1)

Pac (9516) | more than 8 years ago | (#14139987)

Yeah, yeah, I have been told many times before my musical insights are brilliant. But, you see the problem, the unwashed masses are not prepared or willing to listen to me. That is why the rootkit solution is so good - one could even leave the filenames intact and change the file under them and there you are: the unsuspecting listener fires up his/her usual playlist and suddenly Celine Dion sounds heavenly.

2 words... (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#14139650)

FUCK SONY!

Obligatory quote (-1, Offtopic)

Spy der Mann (805235) | more than 8 years ago | (#14139653)

<Nelson>HAH HAH!</Nelson>

Ah... that felt SO good. :)

Still on the Shelves (5, Informative)

Anonymous Coward | more than 8 years ago | (#14139656)

Not only is Sony not moving fast, NY AG Elliot Spitzer reports that affected CDs are still being sold at various retail outlets. I'm not sure how much control Sony has over recalling CDs at some Wally World in Drum Nebraska, but this snafu puts them right up there with Adobe in corporate arrogance and stupidity.

Sony has become an arrogant company? (1)

PCM2 (4486) | more than 8 years ago | (#14139842)

Good lord, I thought I'd never see the day.

Re:Still on the Shelves (0)

Anonymous Coward | more than 8 years ago | (#14139879)

Sony has no influence over what has to be recalled, it is up to the distributers to do so. They have to notify the retailers who then notify their employees.

Don't blame SOny for something they cannot control.

As for the rootkit, they should have never tried it. Its spyware, a viral software package that has been outlawed. If Sony was unaware of the potential damage this has cuased, they should go after their software provider. Yet I'm sure that the EULA from them reads: "we are not responsible for any damage done to anyone's computers for using this product".

Re:Still on the Shelves (0)

Anonymous Coward | more than 8 years ago | (#14139978)

Adobe? What have they done recently ?

If this is true... (4, Insightful)

julesh (229690) | more than 8 years ago | (#14139658)

If this is true, then sony just lost them court cases we've been hearing about. Having been told about it and not issued a product recall at the earliest opportunity (i.e. within a day or two) means that they were intentionally subverting people's computers.

The only defence available to them was that they didn't realise this was happening. They've just lost that.

Re:If this is true... (3, Interesting)

BushCheney08 (917605) | more than 8 years ago | (#14139773)

They were intentionally subverting people's computers to begin with, hence they were in violation of CA and TX's computer privacy laws anyways. They had very little chance of winning either of those cases as is. Of course, this just bolsters the state's cases.

Re:If this is true... (2, Interesting)

TheRaven64 (641858) | more than 8 years ago | (#14139989)

Sony could have claimed that they were unaware of exactly how the software worked, since they bought it from an outside company. Since they were notified and still didn't issue a recall (or even stop distributing new copies) then they can be shown to have willfully continued to violate the law. This degree of premeditation will no go over well in a court of law.

Re:If this is true... (3, Interesting)

Kevin DeGraaf (220791) | more than 8 years ago | (#14139801)

sony just lost them court cases we've been hearing about

Sony is a BIG company, huge enough to be considered a part of The Man. Therefore, there's no way that (1) they will lose any suits, or (2) they will be hit with damages that will have any practical impact whatsoever.

I would love to have to eat these words... here's hoping.

Re:If this is true... (3, Insightful)

Generic Guy (678542) | more than 8 years ago | (#14139901)

Sony is a BIG company, huge enough to be considered a part of The Man.

Sony is primarily a foreign company, so they won't get a free pass. However, the majority way these things usually work out is one or more politically ladder-climbing motivated Attorney Generals sue Sony "on behalf of the people" or somesuch hollow excuse. The proceedings drag on at a glacial legal-system pace, bad PR fades out of the public eye, and eventually AG announces an out of court "settlement" between company and the State. Said settlement money goes straight into State's coffers, never to be seen or heard about again.

All in the end, you are still out $18 for a dodgy CD disc and stuck with a rootkit infecting your PC.

Re:If this is true... (1)

myth24601 (893486) | more than 8 years ago | (#14140016)

"eventually AG announces an out of court "settlement" between company and the State. Said settlement money goes straight into State's coffers, never to be seen or heard about again."

Sometimes the people affected get something too. Sony will cop a deal where they give a jillion to the state as well as coupons to their affected customers for a free blank Sony brand cassette tape or 8Track or some other usless noncash item.

Re:If this is true... (1)

Absolut187 (816431) | more than 8 years ago | (#14139992)

I think their biggest defense was and still is the EULA. Every user consented to have the virus added to their computer.
I haven't seen any details on the lawsuits, but I think the real issue will be whether the EULA covers what the program actually installed.

Impressions (5, Insightful)

A beautiful mind (821714) | more than 8 years ago | (#14139662)

When the Sony rootkit case first hit the news, I considered F-Secure to be quite good for an anti-virus company because they were reasonably quick adding the rootkit to their signature file.

They've just lost that credit for me. They knew for a month and were sitting on it! That is not acceptable. There should have been no warning to Sony, just a public statement from F-Secure at the beginning of October about the rootkit.

Re:Impressions (0)

Anonymous Coward | more than 8 years ago | (#14139761)

Could they have signed a NDA preventing just that? It would be silly to have another company look over your work without one.

Re:Impressions (1)

A beautiful mind (821714) | more than 8 years ago | (#14139852)

No, the law doesn't work that way, similarly you can't enforce/consider valid a NDA covering up a murder, for example.

Re:Impressions (4, Insightful)

Tmack (593755) | more than 8 years ago | (#14139843)

Its called proffesional courtesey. If they immediatly notified the public, there would have been an exploit that many days sooner, before ANY action could be taken to fix it. This is the same as any MS or other exploit. Once a firm knows about it, they notify the software's management to fix it and wait a few days to release the news to the public. That gives the developers time to at least create a patch to prevent any further damage. Is it F-Secure's fault Sony did something stupid in the first place? Are you going to blame Semantic on the next exploit they find, tell microsoft about, and wait a few days before alerting the public? How about the IE bug just moved to cirtical status thats been around for many months, is that to be blamed on Secunia? They knew about it since june and waited until this weekend to escalate it to critical, only after a proof of concept was released.

Its easier to prevent a fire by notifying management to fix the sparking wires than to put one out after notifying a world full of pyros to come dump gasoline on it.

tm

Re:Impressions (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14139922)

This isn't the equivalent of a bug in IE. Sony deliberately infected their customers' computers with malware. Sure it was buggy malware but that's hardly the main issue. If you see a Sony executive breaking into someone's house, would you let the Sony exec know so that he could have a month to fix the problem before anyone else found out?

Re:Impressions (2, Insightful)

harrkev (623093) | more than 8 years ago | (#14140008)

Its easier to prevent a fire by notifying management to fix the sparking wires than to put one out after notifying a world full of pyros to come dump gasoline on it.
It is sad, but these days, nothing gets fixed until AFTER the fire has started, no matter how much notice that you give.

F-Secure should have made this public 30 days after notifying Sony. This way, at least Sony has a chance to fix this. And if they didn't too bad for them and they deserve what they get.

Of course, for all we know F-Secure might have planned to do this. The rootkit was made public slightly less than 30 days after Sony was informed. Perhpas a couple of days later, F-Secure would have blown the whistle.

Re:Impressions (4, Insightful)

pdschmid (916837) | more than 8 years ago | (#14139923)

I think F-Secure's response was very appropriate. Imagine the following scenario: A serious flaw that could be exploited by a worm is discovered in Windows. All one needs to write a worm is to know some vague information about the flaw, e.g. where to look for it. A good programmer could write a worm in a day. A patch for the flaw takes longer to create, as it needs to pass some rigorous testing (after all the patch shouldn't break your Windows installation). So, what do you prefer? Immediate public disclose and a day later a worm infects windows installations all around the world? Or public disclosure concurrent with a patch from Microsoft which had been privately warned about it? I know I prefer the latter scenario. F-Secure was acting in the best interest of the people who had been infected by this rootkit. Sony BMG though had no interest in helping those people, because they were more interested in covering up their illegal doings. F-Secure would have gone public eventually. They would have not just sat there and watched Sony get away with it. However, they gave Sony BMG a reasonable chance in fixing the security holes, as they do give any other company rightly so. Patrick Schmid

Re:Impressions (0)

Anonymous Coward | more than 8 years ago | (#14139969)

The users, not Sony, lose if F-Secure does release the news before contacting Sony.

How fast did those virus-on-XCP came out after the news broke? A week? If F-S released the news first, there wouldn't be a patch for the rootkit by the time these virus arrive. What would the users do? Suffer untill Sony (or it's fellow anti-virus companies) releases the patch?

In most cases, sercurity through obscurity is bad; but not when you try to give the said company to come up with a fix to avoid the "no where to turn" problem.

Full Disclosure is Hard (4, Interesting)

Daedala (819156) | more than 8 years ago | (#14140007)

I disagree. I think F-Secure did great. I also think Mark Russinovich did great.

I think that it would have been much better if the news could have broken with a worken, well-engineered patch. This is always preferable. F-Secure was trying to make this happen. A month is not a long time. Yes, a lot of people were infected in that month; but a lot of people were infected anyway. F-Secure did a right thing.

On the other hand, Russinovich also did a right thing. This software was not a mistake; it was deliberate. People were getting infected and had no idea. Clearly, people should know about this. Clearly, the corporation did not give a rat's ass about their users.

I like responsible full disclosure: give the maker time to fix it, and publish with a patch when possible. But don't allow eternal "patch development," and make sure disclosure happens. There is room for disagreement among people of good will and high ethics.

Sony need not apply to that group,though.

recalled? (5, Funny)

wazzles (729440) | more than 8 years ago | (#14139663)

It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. CDs by these artists should have been recalled anyway, rootkit or not.

Sony Root Kit foiled my attempts (0, Offtopic)

buddhahat (410161) | more than 8 years ago | (#14139664)

to spread the love of Neil Diamond to all and sundry across the internet. I had so hoped to illegally share that ND CD... damn you Sony!

Quick somebody (0, Troll)

FunctionalMethod (751923) | more than 8 years ago | (#14139693)

involve Microsoft!

Ok.... (0)

Anonymous Coward | more than 8 years ago | (#14139733)

FUCK MICROSOFT, TOO!

Obligatory (4, Funny)

LilJC (680315) | more than 8 years ago | (#14139700)

"I'm a recall coordinator. My job was to apply the formula. It's simple arithmetic. It's a story problem. A new car built by my company leaves Boston traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now: Do we initiate a recall? You take the number of vehicles in the field (A) and multiply it by the probable rate of failure (B), multiply the result by the average out-of-court settlement (C). A times B times C equals X. If X is less than the cost of a recall, we don't do one."

Re:Obligatory (5, Funny)

nb caffeine (448698) | more than 8 years ago | (#14139787)

What car company do you work for?

Re:Obligatory (1)

buddhahat (410161) | more than 8 years ago | (#14139820)

It's a quote from the movie "Fight Club." Ed Norton's character plays a recall coordinator for a "major" car company.

Re:Obligatory (1, Funny)

Anonymous Coward | more than 8 years ago | (#14139837)

It's a quote from the movie "Fight Club." Ed Norton's character plays a recall coordinator for a "major" car company.

And yet, you missed the fact that the parent post was the next line in the movie... *sigh*

Re:Obligatory (1)

buddhahat (410161) | more than 8 years ago | (#14139870)

doh. I'm revoking my posting priveleges.

Re:Obligatory (4, Funny)

Minwee (522556) | more than 8 years ago | (#14139875)

Now a question of etiquette. In response to your post, do I give you the ass or the crotch?

Re:Obligatory (1)

sunya (101612) | more than 8 years ago | (#14139896)

*WOOOOSH* GP's comment was continuation of the quote. The woman sitting next to the narrator asks the question, to which he replies : "A major one".

Re:Obligatory (0)

Anonymous Coward | more than 8 years ago | (#14139888)

A major one.

Re:Obligatory (1)

Jeng (926980) | more than 8 years ago | (#14139844)

When B=A and C can cost upwards of $100,000 but more likely $100 not including legal fees I really really have to wonder how much X was going to cost for the recall coordinator to not issue a recall earlier.

hello Sony (1)

Anonymous Coward | more than 8 years ago | (#14139710)

N E FLAPS?
hisssssssssssssssssssssssssssssssssss

As quickly as they could? (4, Insightful)

Jerry Coffin (824726) | more than 8 years ago | (#14139716)

Sony BMG officials insist that they acted as quickly as they could,

In this case, "as quickly as they could" seems to really mean "as slowly as they could get away with."

How long is it going to be before these companies realize that attacking their customers and treating them like criminals really is NOT a good way to do business? Microsoft's "product activation", Sony's rootkit, etc. ad naseum do essentially nothing to stop real hackers from copying software, music, etc., as much as they want, so the only thing they really accomplish is hurting the legitimate customers.

These lousy business practices are reflected in their (lack of) sales too. I don't mean to say a boycott of Sony would necessarily be a bad thing, but for those who haven't looked, take a look at Sony's stock prices [yahoo.com] -- boycott or no, they're not exactly burning up the charts right now.

Now, Sony (etc.) will undoubtedly point to Napster and such as the reason they're not doing as well recently. I don't think that's the case. I think what's happened is that Sony is now concentrating more on forcing customers to pay than they are on producing things customers want. As is visible in their stock price, that simply leads to oblivion, not prosperity.

--
The universe is a figment of its own imagination.

Re:As quickly as they could? (3, Interesting)

Jeng (926980) | more than 8 years ago | (#14139895)

Like the metal detectors I had to go though to leave the production floor when I worked at Dell. They are there as a sign of theft deterent, not to provide real theft deterent. Oddly enough when I worked there the security staff was slipping servers out the backdoor.

Re:As quickly as they could? (1)

slavemowgli (585321) | more than 8 years ago | (#14139913)

Microsoft's "product activation", Sony's rootkit, etc. ad naseum

To the nose? :) (Admittedly, that technically would be "ad nasum", but what you wrote is closer to that than to "ad nauseam". :))

Re:As quickly as they could? (1)

Misch (158807) | more than 8 years ago | (#14140001)

How long is it going to be before these companies realize that attacking their customers and treating them like criminals really is NOT a good way to do business?

When does Sony post its fourth quarter results?

2nd chance to buy one (1)

SnarfQuest (469614) | more than 8 years ago | (#14139722)

It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond.

Watch for the recalled CD's in the bargan racks in the near future. You know that's where they will end up.

Re:2nd chance to buy one (2, Funny)

CoolCash (528004) | more than 8 years ago | (#14139760)

...Van Zant, Celine Dion, and Neil Diamond

There already there...

Anyone wonder... (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14139730)

..how many other 'DRM kits' that were in development by other music publishers went to the toilet because of this? Or am I the only one? Bravo SONY!!! This is the fist time I saw you doing somehing good for the community.

I don't think they've been pulled, needs checking (0)

Anonymous Coward | more than 8 years ago | (#14139732)

I don't think they are taking them off the shelf. According to a newspaper article I read, they're still amply on retail shelves everywhere. Amazon is the only company that has publicly written consumers to let them know about their CDs. I bought a new CD from a company advertising on amazon's auction space, not amazon itself, and I wasn't informed.

I think Sony said this to avoid heat. Since its too expensive to recall all those CDs, if they are caught, they will fall back to "well, we are offering an exchange if consumers write to us". This would match the other lie-ing Sony has been enganged in. For instance, they claimed to remove the rootkit, and they only removed the cloaking part of the rootkit. They made no mention of a spybot.

I call b.s. (2, Insightful)

akad0nric0 (398141) | more than 8 years ago | (#14139735)

It doesn't take that many weeks to recall CD's and tell resellers to take them off of their shelves.

They're telling the truth, in part: they reacted as fast as they could to the bad press. But not to the real issue - the flawed software.

Re:I call b.s. (1)

Giometrix (932993) | more than 8 years ago | (#14139818)

Except this isn't flawed software. Its illegal software. Big difference, unless by "Flawed" you meant "Lack of lawfulness." Just my 2c.

I wonder what BusinessWeek got to print that crap (0)

Anonymous Coward | more than 8 years ago | (#14139742)

A mea culpa after it's been exposed? Let's see some internal memos that say how they were "handling" it before it was put on the blog.

And, of course, they blame another company, stating

"Sony outsourced the job of writing the software to a small British consultancy called First4Internet Ltd. The resulting program, called XCP, made it possible for hackers to hide malicious code in customers' PCs."
So, they're really really sorry they outsourced their DRM rootkit to the wrong company. Rich.

One hand stabs and the other doesn't know it (3, Interesting)

Schezar (249629) | more than 8 years ago | (#14139749)

Sony, like all megalithic corporations, behaves internally like dozens of smaller, independant companies. They're vying for their shares of the corp's limited resources and trying to justify their continued existence. I work for IBM, and it's the same way.

That said, I wouldn't be surprised if the people who received this warning never had any contact with the people responsible for the rootkit. Intra-company communication is horrid in large corps, and often the people implementing solutions get little or no real information beyond requirements and specs from those making the decisions above them.

One manager tells another manager who tells a team to hire people to write a DRM. Another manager gets a message about how dangerous these "rootkits" are, and forwards it to another manager who thinks "we're not making a rootkit, we're making a DRM."

Sony's music division cannot reconcile its business with Sony's technology division. They're competing directly, and eventually one of them is going to win. I'm hoping this was another nail in the former's coffin.

"... it offered exchanges to customers." (4, Interesting)

Giometrix (932993) | more than 8 years ago | (#14139756)

This line makes me so increadibly mad. Wow, they offered to exchange something that could do damage to my finances and business for something that won't... something that they were hiding and SHOULDN'T have been on an AUDIO cd in the first place. Gee, thanks.

For all the flak that Microsoft gets in regards to security... at least they're bugs, by bad design or not. This is something Sony deliberately put into their products. I want heads to roll.

I wonder... (2, Interesting)

tkrotchko (124118) | more than 8 years ago | (#14139768)

I wonder if the artists will be "charged" for recalling their CD's and reissuing them... that would be sadly funny. Maybe it would make a few of these artists strike out on their own.

Sony LOVES DRM (1, Interesting)

killercoder (874746) | more than 8 years ago | (#14139769)

Buy any Sony DVD after Jan 1 2005 and you can't play it without using their player (or DVD Decryptor)....Why? They deliberately put bad sectors on the disk.

Buy a Sony music CD produced after Aug 1, 2005 it installs a root kit.

Whats next? Buy a sony Walkman and it won't play anything but a Sony CD? Idiots, time for a boycott.

Got a link? (1)

Gruneun (261463) | more than 8 years ago | (#14139974)

Buy any Sony DVD after Jan 1 2005 and you can't play it without using their player (or DVD Decryptor)....Why? They deliberately put bad sectors on the disk.

I buy tons of DVDs and I have never encountered this problem. Not just in my Sony DVD player, mind you, but in my computer, my Xbox, my Pioneer DVD player, or my car's player. Not to mention, the first reaction of a consumer will be to exchange the disc, not buy a new DVD player, let alone a Sony model.

I will admit, though, that it's the Sony DVD player that is the most likely to have problems reading a disc. I do attribute that problem to them.

Sadly, Sony has to learn the same lesson (1)

WindBourne (631190) | more than 8 years ago | (#14139779)

Back in late 80's/early 90's, I worked at HP. Back then, openings in HP woudl take forever to get done. But that was also true of all the other unixes. By '95, the *nixes were cleaning up their acts. So, it was MS that took forever (and many would argue still do).

So now, we have appliances (cisco comes to mind), and even consumer manftr. that are taking forever.

Hard lessons are never learned until law suits hit. Too bad that ethics do not seem to matter in business or politics.

This is wonderful! (2, Insightful)

drinkypoo (153816) | more than 8 years ago | (#14139783)

It's always a lot easier to bust a corporation when there is evidence that they knew they were doing something wrong. Haven't you seen Erin Brockovitch? :D

! B ! O ! Y ! C ! O ! T ! T ! sony (2)

dan of the north (176417) | more than 8 years ago | (#14139799)

Not forever, just until January 02 /06.

If Sony misses out on the Christmas rush perhaps they, and the rest of the E! industry, will figure out that their customers don't like to be harrassed, lied to or spied on.

!!! - Arista Records, BMG Classics, BMG Heritage, BMG International Companies, J Records, Jive Records, LaFace Records, Provident Music Group, RCA Records, RCA Victor Group, RLG - Nashville, Sony Urban Music, So So Def Records, Verity Records, Columbia Records, Epic Records, Legacy Recordings, Sony Classical, Sony Nashville, Sony Wonder, Sony Ericsson, Sony Music, Sony Pictures, Sony Electronics & PlayStation. - !!!

Sony's actions were egregious, their behaviour is arrogant and their response has been without remorse.

A six week consumer action just might have the effect of reaching into the corporate boardrooms and making those who approve such actions pause. A six week consumer action just might make pension funds and other big $$ investors smack corporate leaders upside the head and direct them to 'do no evil'. A six week consumer action just might tip the balance, for a little while anyway, away from unaccountable corporate malfeasance.

Please keep in mind that while Sony is the target of this boycott; it is the insatiable, unconscionable corporate thinking that perverts any reasonable interpretation of capitalism that needs to be reformed... My hope is that Sony can go from loser to leader.

Re:! B ! O ! Y ! C ! O ! T ! T ! sony (1)

Seth Finklestein (582901) | more than 8 years ago | (#14139959)

I'm not buying any CDs from any manufacturer any more, ever. Instead I'm going to use passive, nonviolent protest by using KaZaA to download the music I want.

I'm also going to liberate a PlayStation 3, mod it, and steal the games that Sony wants me to buy.

You're welcome, Dan.

Re:! B ! O ! Y ! C ! O ! T ! T ! sony (1)

djdanlib (732853) | more than 8 years ago | (#14139973)

So, you're going to try to single-handedly start a boycott right during the Christmas shopping season, when all the kids are begging their parents for the PS3 and all those PlayStation games, music CDs, DVDs, TVs, DVD players, headphones, digital cameras, movie tickets, and miscellaneous electronics devices they've been wanting, so that Sony execs will say "Oh, how wrong we have been to value our money so much"? How exactly did you plan for this to work, and who do you think is going to listen that will make any sort of significant impact on Sony's finances?

Remember, they blame their losses on piracy, rather than more probable causes, so if people suddenly stop buying from them... guess who takes the blame: Pirates! Arr, those horrible scallywags!

Re:! B ! O ! Y ! C ! O ! T ! T ! sony (1)

Lumpy (12016) | more than 8 years ago | (#14139985)

get realistic. it is 100% impossible to get the public to do anything. Hell the lure of a new shiney is enough to make most consumers burn themselves over and over.

asking for a 6 week boycott? That's like asking for Ohio to swap places with Indiana. It will never EVER happen.

Suicide? (1)

Hope Thelps (322083) | more than 8 years ago | (#14139815)

It's like they're BEGGING the EFF to add to their complaint "the rootkit was so deeply embedded and so thoroughly concealed that Sony themselves say it would take even them a month or more to create an uninstaller".

Sony have got to be trying to lose. Nobody could be this incompetent by accident.

Never underestimate incompetence (2, Funny)

Overzeetop (214511) | more than 8 years ago | (#14139943)

Never underestimate the incompetence of a large organization, nor the ability of middle managers to hide career-stopping errors for short* periods of time.


*Short is generally between 60 days and 4 years - sometimes longer, but rarely shorter. It is mostly dependent on the type of auditing done, the desire of upper management to find a scapegoat, and the amount of publicity surrounding the original erroneous decision.

Sony BMG didn't understand the software ???? (1)

Chaffar (670874) | more than 8 years ago | (#14139819)

Sony BMG didn't understand the software it was introducing to people's computers"

Really, then I suppose that when the head of Sony BMG's global digital business, Thomas Hesse, told National Public Radio:"Most people, I think, don't even know what a rootkit is, so why should they care about it?" I assume that he includes HIMSELF as part of those "people".

Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis.

Bad Russinovich, not giving Sony enough time to "do the right thing" [be a man ;)] I'm sure they were going to go public with the glitch as soon as they had found out about it. Because Sony is irresponsible enough to install software which they don't even "understand" apparently, I'm supposed to believe them when they claim that they were going to act responsible and actually go public with this thing? What the f*ck ever...

Scrambling to contain the crisis (4, Funny)

digitaldc (879047) | more than 8 years ago | (#14139832)

Phony Sony put its CDs on a shelf
Phony Sony had a rootkit which installed itself.
But all of Sony's lawyers and all of Sony's PR men,
Could not put the integrity back into Sony again.

Re:Scrambling to contain the crisis (2, Funny)

slavemowgli (585321) | more than 8 years ago | (#14139950)

I'm not sure if the "scrambling" in the title is an intentional pun here, but if it, it's brilliant - hats off to you. :)

"It" usage (1, Funny)

Anonymous Coward | more than 8 years ago | (#14139845)

It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers.

It rubs the lotion on its skin. It does this whenever it's told.

lawsuit season (2, Interesting)

ltwally (313043) | more than 8 years ago | (#14139853)

Normally, I'm not in favor of suing. Seems that there are far too many frivolous lawsuits, these days. In Sony's case, however, I'll go so far as to say that they deserve to get their ass handed to them in court.

Not only did they put something like this in their cd's, but they were warned by a respected security/anti-virus firm about it... and they did nothing until the public caught on. An example needs to be made of companies that behave like this.

I say, write your state legislator as well as your congressmen and senators, and urge everyone to sue. Let those <sarcasm> lovely </sarcasm> DMCA laws work in our favor, for once.

It doesn't matter. (3, Insightful)

gasmonso (929871) | more than 8 years ago | (#14139861)

Until there are devastating consequences for any company that dies this, it just doesn't matter. 90% of the their customers don't even know about this, and the ones that do, don't fully understand it. This can only change once the average consumer is educated on the issue and there are successful lawsuits that punish companies like Sony. Sony knows that this will blow over in a few months and most people will forget about it (except Slashdot readers of course). People will just continue to buy cds like they always have.

gasmonso http://religiousfreaks.com/ [religiousfreaks.com]

Define 'serious' (1)

Billosaur (927319) | more than 8 years ago | (#14139919)

From Business Week: That's when F-Secure got into the act. Guarino sent an e-mail to the Finnish company, since it makes the rootkit-detector software that he used to investigate. F-Secure did its own investigation and notified Sony DADC, which manufactures Sony BMG CDs, on Oct. 4. Sony BMG says the e-mail, which was forwarded to it on Oct. 7, didn't signal a serious security issue.

Let's see: someone tells you that the software you are blithely putting on other people's computers has a security flaw, one that potentially leaves millions of machines vulnerable to attack, and that's not considered "serious"? I think we should all be grateful that the Sony's executives are not running the country... but then again, maybe they are?

Who cares when Sony was warned... (3, Insightful)

person-0.9a (161545) | more than 8 years ago | (#14139986)

This has already been said by Bruce Schneier, but...

F-Secure warned Sony about the dangers on October 4th, yet still failed to protect any of it's users in a timely manner.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?