2005-11-14

Security Threats on Sony Music CDs

It turns out that for the last year or so Sony-BMG has been shipping
rather dangerous Windows software on many of its music CDs. When the
music CD is inserted into a Windows PC it displays a message informing
you that it wants to install a music player so you can listen to this
wonderfully exciting new form of music CD. And if accepted it installs
a "rootkit" which secretly hijacks some parts of Windows without
informing you.

Firstly, the automatic installation of this Sony software can be avoided
to some extent by disabling auto-run:
http://www.annoyances.org/exec/show/article03-018

Some less technical information on the Sony rootkit from CNet:
http://www.cnet.com/4520-6033_1-6376177.html

EFF's growing list of CDs known to contain the rootkit:
http://www.eff.org/deeplinks/archives/004144.php

EFF breakdown of the legal restrictions Sony imposes on people who
choose to install this software by agreeing to the EULA license:
http://www.eff.org/deeplinks/archives/004145.php

NPR Audio with clips from SysInternals (who discovered the threat) and
Sony BMG President. There is a lovely audio clip of Sony-BMG president
saying that rootkits aren't a threat to anyone because, get this, and I
quote, "most people don't even know what a rootkit is":
http://www.npr.org/templates/story/story.php?storyId=4989260



What the Sony rootkit does

  1. Installs a windows kernel patch that allows arbitrary files to be hidden even from Windows itself.
  2. Replaces the CD drivers with ones that prevents listening to or copying audio CDs. Any program which attempts to access the protected music CD is immediately terminated without prompting or authorization. It maintains an internal list of programs which are commonly used to copy CDs.
  3. Installs a music player program which is allowed to listen to the audio CD and make up to three MP3 files from tracks on the CD. It also allows Windows Media 9 to generate encrypted music files for use with Sony, and a few other, encrypted portable music players.
  4. The music player, somewhat covertly, sends a transmission back to Sony-owned servers each time a a music CD is inserted requesting album art for that specific CD.

Why this is bad and may even be illegal

  1. Sony doesn't explain what the software they install is doing to Windows. In many countries it is a serious crime to modify a computer system without the full consent of the owner. That means fully disclosing to the owner what will be done to the computer system. Instead, the EULA basically states that Sony can do anything they want to your computer and you need to install the software in order to listen to this perfectly normal audio CD. Which simply isn't true. The CD plays fine until after their software is installed. That aside, it isn't within Sony's legal rights to prevent you from listening or in any way using a music CD that you have legally purchased. But it may be within their rights if you were to agree to their EULA license because that may be a binding contract.
  2. The rootkit's kernel patch hides files with names beginning in $sys$. Viruses have already incorporated the Sony rootkit into them. The rootkit makes it impossible for anything to even detect let alone remove a virus using Sony's rootkit. Virus scanners are totally useless against any virus incorporating this technology.
  3. The software installed by the CD is invisible and there's no way to uninstall it. Attempting to do so will damage Windows. Sony's recently announced uninstall procedure is almost impossible to complete and possibly dangerous to even attempt. Some virus scanners (F-Secure, Symantec, Microsoft, et al) are issuing updates which supposedly detect and safely remove the rootkit. In the case of Microsoft, and probably some others, it appears that they may have to rewrite parts of their virus scanners to accomplish this. (ie. This scenario wasn't anticipated by most existing virus scanners.)
  4. The rootkit intercepts low level Windows kernel functions. Unlike the original kernel functions it does not validate any information being passed to it. Therefore, it is extremely easy to cause windows to crash with a blue screen. Meaning, it makes Windows infinitely more fragile than it normally is... Normally, the Windows NT kernel protects the system from crashing but the Sony rootkit is poorly written and bypasses Windows' built-in protections.
  5. Removing the kernel patch itself using normal means either makes Windows totally unable to boot or corrupts the CD-ROM driver so the drive doesn't work any longer.
  6. The music player software appears to incorporate the LAME MP3 encoder in some way. In any case, there's strong evidence to suggest it is built into at least some versions go.exe on the CD. The LAME software is licensed under the LGPL license. If that is true then Sony is not fulfilling the LGPL license requirements in any way. Therefore, they may be violating numerous other people's copyrights in order to supposedly enforce their own copyright. And in doing so they would be breaking federal law in many countries including the US.

Long, technical details (listed in cronological order)

  1. http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
  2. http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html
  3. http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html
  4. http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html

Alternatives

And the obligatory note that Linux, Macintosh, and other UNIX systems
aren't subject to this sort of insanity because of a very long list of
reasons based on decades of experience and sound judgment on the part of
their respective developers. And, also a note that ordering a stack of
Ubuntu Linux CDs costs precisely $0, postage is even free:
Order free Ubuntu Linux CDs:
https://shipit.ubuntu.com/
Ubuntu Linux:
http://ubuntu.com/

Labels:

- posted by Augur @ 04:11 [Permanent link]
2005-11-12

Posture!

So, it's 4:30 in the morning and I'm wide awake listening to Radio Paradise. Great music. Dreadful hour. My back hurts. My brain is fried. All is not lost for I have chocolate.

Ya know, I've never really liked keyboard shelves under the desk. But I'm beginning to think that the cause of my back pain has been from leaning to type. This started about the time I replaced my desk. (And nearly killed myself crawling around on the floor running wires behind the desk.) Bad posture may be aggravating things since I spend like 16 hours a day typing. So, yesterday I installed the keyboard shelf that came with my desk. I think it has made a big difference. Still some aching but nothing like it has been. And it seems to be slowly improving. I guess I'll know after a few days.

Visitors

In other news, I was visited briefly by a very pregnant Mantis:


Shapeshifting Forms

I keep running into major annoyances when writing complex web forms. The appearance is always ugly and varies wildly based on browser and operating system. It's a real problem in situations where you need the form to look precisely one way no matter how it is viewed. So, I've been contemplating writing a comprehensive javascript class which allows you to customize a form so it looks consistent across all operating systems and browsers.

Most importantly, this wouldn't require any changes to the way you create a form. You could take an existing form and simply attach the class initializer to the window.onload event. The form is created using perfectly normal HTML. The class rewrites the appearance of the form using javascript to manipulate CSS and HTML. There are numerous disconnected examples of this already. I modified an existing example of a form select for my proof of concept HTML form themes. It's really pretty ugly at the moment. But it's given me some confidence that a class library is feasible.

Less importantly, HTML forms look horrible on paper. So I'd also like to have a print function which takes the editable form from the web page, reformats it and makes a nice printed document. This is something that comes up more often than you'd think. Often people will print a form just before they submit it so they have their own record.

Labels:

- posted by Augur @ 02:26 [Permanent link]
2005-11-06

OpenSolaris + Ubuntu = Nexenta

For years I've always bought the latest Sun Solaris operating system release hoping it would be better than the last. It doesn't even seem to gradually get better. It seems like every improvement they make is offset by some other part which has become worse.

So, they finally decided to infuse some new blood into the system by releasing most of the system, as OpenSolaris, under their CDDL open source license. CDDL is not exactly a very good open source license, mind you. But does qualify as open source nonetheless. I can assure you that I won't be abandoning my Linux systems for OpenSolaris. But I am very glad to see Solaris finally being improved in a way that makes sense.

Aside from the OpenSolaris project itself there is a recent spin-off called Nexenta. Nexenta seems to me to be the perfect solution to the problems with Solaris. Nexenta is based on Ubuntu Linux but they have replaced the Linux kernel with the OpenSolaris kernel. Ubuntu Linux is derived from the Debian Universal Operating System. Debian is based on the GNU system. Debian doesn't mandate any specific kernel or applications although it currently favors Linux. Instead Debian is built around the idea of alternatives. You can swap out components to fit your business or personal needs around this basic GNU system. As such, Debian currently provides Linux, FreeBSD, NetBSD, and GNU Hurd kernels and roughly 18,000 applications to run on them. If Nexenta succeeds then Debian would provide a fully functional OpenSolaris kernel in a future release. Nexenta has simply built packages for the OpenSolaris kernel and system utilities which integrate into the Debian OS.

I think that Sun should take a long hard look at what Nexenta is doing and strongly consider pursuing a similar course. Debian truly is the way forward. Debian provides a rock upon which all other operating systems can be built.

This is idea of building a GNU system on top of Solaris is nothing new, really. Indeed, before Linux, much of GNU itself was built on SunOS and Solaris. But now the whole process can be legal and formalized into outside projects. Since the late 1980s nearly everyone who purchased a Sun system would go through a several day long ritual of augmenting/replacing the Sun software with GNU software. To the extent that Sun eventually started including much of GNU on companion CDs. Many of the GNU utilities are superior to Sun's own software. Sun has areas where they excel. However, they are but a few people in a vast sea of developers working on this sort of software. Most of the Solaris applications have become outdated as they focused on niche areas. Meanwhile, the rest of the world has continued developing, refining and often replacing those applications with better versions.

Sun has promised great things by moving their desktop away from CDE (Common Desktop Environment) on to the newer GNOME. Solaris 10 included GNOME as its default work environment. Or, at least enough of GNOME to make you scream, "What were they thinking when they did this!" Sun neglected to port many important features from CDE to GNOME. Worse, GNOME on Solaris 10 had nearly all of the good GNOME software replaced with lousy Sun Java software that barely even functioned at all. You might wait several minutes for a simple note pad or calculator to load as all of the Java infrastructure bootstrapped itself behind the scenes. The reason they did this, I've heard them claim, is to delay porting those programs to Solaris and/or their SPARC CPU. They wanted to get the infrastructure correct before they attempted to port the applications.

But I think that misses the point. They shouldn't have to port thousands of applications to Solaris. Nearly all of these applications are written according to POSIX, Single UNIX Specification, and Linux Standard Base. These are ISO standards, like it or not. Solaris should be changed to support those standards and then all of the applications will work mostly unmodified. You might need little tweaks here or there. And if those are common tweaks across many applications then a library can be built to abstract the differences.

And this is exactly the sort of environment Debian provides. The net result is that, with few exceptions, you can run the same program from the same Debian package on any system regardless of which kernel is in use. There is no porting required at all because all of the various kernels have binary-compatible programming interfaces. In effect one program runs everywhere.

I do wish Sun could find some way to release Solaris under the GPL license but perhaps that will come with time. It's not as simple as one might think to release something under GPL. They probably don't even have sufficient legal rights to the code to make that leap. However, perhaps with time, problematic code can be replaced. Maybe it never will. Getting the ideas behind the code out into the public mind is a great start.

Labels: ,

- posted by Augur @ 16:49 [Permanent link]