I’m proud to announce that a major step forward in the legal phase of Sony's rootkit: Scott Kamber and Sony have
filed a proposed settlement
for the national class-action suit brought by Scott. While I didn’t participate directly in the negotiations, I’m serving as an expert for Scott and provided input on the terms, which I think are a significant victory for the consumer.
I won’t recount the specifics of the agreement , which incidentally isn’t final until approved by the Southern US District Court of NY, because other articles have already summarized them. However, the basics include consumer incentives for returning their DRM’d CDs in the the form of money and/or free albums (from a choice of sources, including iTunes!) and independent oversight for the next two years over Sony’s DRM development and EULAs. In addition, Sony waives most of the terms of the existing XCP and MediaMax EULAs and allows customers that experienced computer problems as a result of the software to file independent claims outside the settlement.
Reaction to the news has generally been positive, but there are some that believe that Sony has been dealt little more than a slap on the wrist. I had no reservations giving the settlement my approval and think that this specific circumstance has had a best-case outcome for those affected.
I certainly don’t think that this should be the end of the general story, though. While Sony is now bound, at least in the short term, to constraints that protect the public from repeats, other companies still have great leeway in their approach to DRM. I’ve made it a theme of my posts on this topic that the government needs to formalize in law some of the core guidelines of the Sony settlement. Fundamentally, users need to have enough plain-English information presented to them during a software installation, DRM-protected or otherwise, that helps them make an informed decision when they consider accepting a vendor’s terms and the software's impact on their system. It should also be law that vendors must include a local uninstall functionality. Until changes are made we’re all at risk of losing control of our computers to aggressive DRM tactics.
Thats interesting how Sony's lawers will respond :)
12/30/2005 11:47:00 AM by Roman
I think that presenting the information during the install is too late. In most cases even if you do not accept the agreement, you can not return the CD. Let’s say you go to your favorite music store and purchase a CD with DRM. You take it home, open the package, and plug it into your computer. There you realize they want to install a bunch of stuff you don’t agree with so you decline. Well, you’re new but opened CD is no longer returnable, so now you are stuck it. That’s usually true about software as well.
By the way, Great job on not only the research you did related to the software, but everything you have done with regards to pushing for individual’s rights!
12/30/2005 12:35:00 PM by chad
Courageously you stood against a global corporation with far more to loose than to gain. You represented the average person with a single voice who dared to speak out; it then multiplied around the globe. It was heard by many corporations around the world and none can dismiss a single voice any longer.
My opinion of the outcome I will voice another day.
12/30/2005 1:03:00 PM by Stephen
Look at page 15 of the settlement document:
...In addition, before manufacturing and issuing any CDs with copy protection software at any time until 2008, SONY BMG will: ...
(7) ensure that SONY BMG will only be able to collect limited information from the CD user necessary to provide enhanced functionality to any such CDs, namely album title, artist, the computer user’s IP address, and certain non-personally identifiable information,
without the user’s express consent ;...
12/30/2005 1:35:00 PM by Anonymous
Any DRM protected CD, Sony or otherwise should have a label on the packaging similar to that of those that have "explicit lyrics", that way those who want to avoid such material can do so easily.
12/30/2005 5:45:00 PM by Croz
Sony is a member of the Coral Consortium and owns Intertrust with Phillips .
I hope they decide to push for this shared source cross platform DRM framework in the new year with oversight from the comminity .
12/30/2005 6:34:00 PM by Matt
I really hope that there will be enough people who will withdraw from this settlement if it's approved by a court. It just need 1000 who say, that this is not enough! Or do you think this is enough?
12/30/2005 6:47:00 PM by Anonymous
I was planning on publishing my papers that I have written during my time at DeVry onto my website for the public to download. I am still planning on doing this, however, recently - the idea has crossed my mind to embedd a "DRM" program with it. Along with the paper, I could legally create a zip file and include a trojan horse/spyware program (or "DRM technology"). (i.e. Optix Pro)
If I state in the zip file that the program is a DRM program designed to protect the technology inside the document, it's legal. If someone tried to report me to the police or if someone tried to sue me for distributing a trojan horse / spyware program, I can just refer to the EULA and claim that it was a DRM technology, and the person who found out what it was circumvented the DMCA, and I could press charges against the "user".
If anyone has a Sony XCP CD (or from what I'm hearing, other's equivilant DRM technologies) - could you possibly upload the DRM component to my website's forums (http://f00dl3.proboards70.com/). I would really like to get my hands on this stuff. Thank you.
(P.S. - If it were not for the class action, this lawsuit would have never had a shot at even being heard or filed. It's pointless to sue someone over a computer virus when the odds are against you [DMCA] and when it takes a billion dollars to file a lawsuit)
I advise anyone who has the resources and knowledge at their hands to start doing things like this.
All in all, the best way to resolve this DMCA situation is to use the DRM to a point where it gets people soo pissed off, and violates every other right that the constitution and other laws are designed to protect.
Any more, the only way that normal people have a chance at changing the laws in our contry would be to create our own content and protect it with viruses, spyware, and trojan horses. Perhaps once people start to realize that the DRM technologies are not good, maby someone will be able to change some of the clauses of the DCMA to allow more consumer freedom.
The way not to bring about change is to just moan about it. So do something for your rights, instead of complain how Sony violated yours and got off sooo easy, and I never heard a single mention of the Sony "suit" on my local FOX 4 News station here in Kansas City.
12/30/2005 6:51:00 PM by Anonymous
I am a bit confused by the settlement, and since you seem to have been a part of the negotiations, perhaps you can answer my question.
What is the fate of the MediaMax discs that have already been sold? Are they to be recalled as well?
The security risk of MediaMax is significantly less than that of XCP, but it presents a risk nonetheless, and I would like to be able to exchange the disc for one that does not carry that risk.
The language of the proposed settlement directly addresses XCP protected discs, but it was rather vague about MediaMax. Do you have any light to shed on this?
12/30/2005 8:08:00 PM by Anonymous
Good job Mark.
12/30/2005 8:58:00 PM by Bob K
Maybe what we need is some sort of way that a user can customize the os such that software either will or will not install according to the user's stated preferences -- in essence what I'm proposing is the development of a protocol that makes legal agreements a snap, at least as far as software is concerned.
12/30/2005 11:05:00 PM by Anonymous
Mark - well done, great work well executed. I agree with others that it should be explicity shown on the CD cover.IMHO in the fashion of health warnings on European tobacco products ie with a specified mininum size etc.
It will also be interesting to see what happens to First4
12/31/2005 3:27:00 AM by Geoff
Congrats for starting all this! It does seem like Sony got off slightly light (esp. the until 2008 part some commenter mentioned), but then again the criminal case(s?) are still going.
Let's hope this does indeed start a bit of thinking in the music industry, although for that the price for Sony may not have been high enough. Then again, if this had gotten onto more CD's first, the price would have multiplied so the risk is still enourmous for most companies.
12/31/2005 10:37:00 AM by legolas
nothing but a slap on the wrist of Sony. What a joke.
They should have to pay huge fines, AND the scumbags who OK'd this nefarious activity should do JAIL TIME .
If I engineered a rootkit and distributed it with some other software users were installing, and put computers at risk, I would do time in prison--so WHY not these evil slobs?
But what aggravates me as much as anything else is the fact that idiot consumers won't boycott Sony for this, or at least not to any extent that sends a real message to the industry. No, they'll keep buying that crap music they so desperately crave.
12/31/2005 2:53:00 PM by Irreligious
Happy New Year! Yeah...
12/31/2005 4:33:00 PM by Anonymous
Well,this goes up to Sony,Microsoft,the RIAA and everyone else promoting DRM and "technologies" like that...
I really can't understand is,does it really worth it...to spend so many billions of dollars every year in both lawyers and researchers,just to build and distribute these trojan-like "protection schemes"?
Well,I am not a high-end economist,
but i guess that building a good,trustworthy relation with the customers,
costs far less than all those anti-piracy pseudo-prophets...in the final end,no-one is convinced by them.
Spend money-to protect money-money that's already lost in lawyers/"programmers"...
that's a really weird logic...
Let's not cheat ourselves:the very simple common people's logic/truth goes like this:if it's cheap/pirated,they might give it a try.If it is high qualified,they're definitely gonna buy it,even if they have to work very hard to get the money for it...no matter how much it would cost.
Do you really think it's that easy you can change people 's ethics?If answer is yes,then you're far more idealistic than i thought,that's a bad habit for a company dealing with "realistic" money.
This is simply NOT gonna change.NEVER.
Why?Because they don't have YOUR money to be able to get whatever they need,
so they are forced by YOUR money-ruled ethics to think like that,
either you/they like it or not.
Furthermore,how can you convince people to change their ethics towards piracy,while using un-ethical methods?
The fact that people have less money doesn't mean they are more stupid than you...exactly because they have less money,they will be more suspicious towards you and tolerate far less crap...
What comes next?A paid HxDef-based DRM?
There are actually some losers of the VX community out there that could do that for you,in Special Edition(for CDs),Gold Edition(for Box-Sets)etc...
My guess is that some people are so much blinded from money,that don't know how to handle them...it's a shame:
Music industry once,in the name of people's entertainment,would find-"develop" new "talents",in an effort to establish "real pop-stars",that could stand for more than one night in the charts.
Now things are more than worse...
they are ridicolous:
they find-"develop" new "technologies" in their effort to establish "laws regarding patents",that could stand for more than one-night in payware operating systems...
This time,in the name of people's intellectual property...
Conclusion:New times,same ethics...
1/1/2006 1:33:00 AM by Does-my-name-really-matter?
Really good, and interesting news, try more Mark,
after Sony got that hit, and as I saw how things moved around a couple of hours ago, I think Sony should (will) take a leave .
1/1/2006 3:01:00 AM by LVIIIII
You rock totally, Mark. Sysinternals is an worthy and valuable service to the WORLD. Your recent fracas with Sony was highly entertaining. It's amazing that a major corporation like Sony doesn't have (or listen to) qualified technical counsel who could have quickly told them that you know your stuff and that the battle was pointless. Actually maybe they did listen after a short period of denial, that might explain why they reversed so quickly, after a few short months. (The blackhats and their DRM rootkit exploits were just icing on the cake.) Congrats 2 u and Sysinternals. Live long, produce and prosper.
1/1/2006 4:54:00 PM by Anonymous
As Michael Jackson once said re: Sony... Tony Matolo is the devil!
1/1/2006 5:53:00 PM by Shaun
What you wrote looks like an inconsistent compilation which I guess was mainly due to time disallowance. Also, you seem to have gone too far by your analysis, which turns out to be apparently contradictory to Sony's realities. The way they are dealing with what is currently happening, in my opinion, is nothing far away from that of which Sharma network used to handle in itz case.
1/1/2006 10:49:00 PM by Anonymous
Austin-Stateman did a good job, now my friend knows more about Mark too :-D
1/1/2006 10:58:00 PM by LVIIIII
What about StarForce copy protection doing the same thing?
1/2/2006 7:56:00 PM by Toby
There is nothing more than power or money that people wish to gain.
Customer demands are always carefully checked as a marketing,competition strategy to increase product sales. Surely there is no exception to Sony when they are there for public entertainment. That means their technology 'falls' for malware mainly because of business expansion, help, and above all money.
I once heard Kent Roberts say "Only kids have true love for something", although honestly I still don't understand why Roberts keeps thinking he made a victory over an untrue, unreal love from an egoistic man full of demands which lead him to different sufferings. Contradictions like that always exist just because no one wants to lose.
1/3/2006 12:21:00 AM by Anonymous
Thanks for all the hard work, Mark! You continue to prove the value of you and your company to those of us who try to do things right for our users. Keep up the GREAT work!
1/3/2006 7:05:00 AM by Garry Venning
Closing the loop, I received notice from Amazon, apologixing for any inconvenience caused by the S8ny product they had sold me.
Thanks again, for the vigorous pursuit!
1/3/2006 3:48:00 PM by Anonymous
1/10/2006 9:59:00 AM by Anonymous
it's disgusting that they(SONY) are being given such a pass.
they should be required to restore or replace every system they infected. no other result would be a clearly defined punishment.
"we're sorry, heres a little cash and some free(?) music, all your other problems, caused by us, are now solely your responsibility."
are you satisfied with the Union Carbide settlement at Bhopal ?
1/12/2006 8:28:00 PM by trollafrogg
I'm sorry, but I just can't agree with you that this is good news. This is a paltry sum that customers must jump through hoops and provide personal information.
This settlement completely fails to address any repayments for computer support end-users. It also doesn't address Sony's security denial, transmitting information, or a host of other problems.
Mark, you really feel that $7.50 and 12 mp3 files adequetely compensates you for your time? Do you think that $7.50 and 12 mp3's adequetely compensates end-users and businesses that have paid to have their crashing computers fixed? I'm sure the lawyers involved in this case sure got more than $7.50 and 12 free mp3's.
You feel that this is a good settlement? I think it stinks and Sony is laughing all the way to the bank. I think the lawyers, and frankly YOU, should be ashamed at this settlement and it's completely inadequete.
1/18/2006 12:26:00 PM by Anonymous
I do not think this is a good settlement. I spent a few hours reinstalling a family members computer. Seven bucks and a few songs really feel like a slap in the face to me. The CD my family inserted was purchased for around fifteen dollars. How does half that price compensate? How does this settlement remove the millions of infected cd's out there? Most importantly, as a previous posted commented, after the hours and hours of work you've put into disclosing this, do you feel that eight bucks and a few songs compensates you for your time?
Something tells me that you were compensated quite nicely along with the law firm heading up this lawsuit. The rest of us poor schmoes are just outta luck and even if, say, a thousand people take up sony on this offer that's only about ten thousand out of Sony's pocket.
I know there were other terms of the settlement that Sony must comply to (although I'm pretty confused as to why the Mediamax disc aren't being recalled), but IMHO this settlement is a clear-cut case of the customer losing spectacularly.
1/20/2006 4:40:00 PM by Anonymous
Hey here! Here's something you might want to investigate. Install a linksys WUSBF54G (a USB dongle that does .G). Now start watching the output of NETSTAT. There's a lot of connections being attempted to:
and a few other IP addresses w/o DNS names.
1/20/2006 10:30:00 PM by Anonymous
Sony installs millions of rootkits on computers in every state and the entire world and this is the best settlement there was? A recall of only half the infected discs and reimbursing a single-digit percentage of consumers half-price while completely avoiding the massive security problems, additional problems the uninstaller caused, the phone-home underhandedness, the millions of discs still sitting on peoples shelves, or the millions of dollars spent on computer support issues and crashes?
So really, Sony will get nothing more than a minor hand-slap, they will recall the discs they were already recalling (but only half of them), and they have to pay probably less than $100,000 to the consumers while gaining private information.
WTF is absolutely right.
1/21/2006 10:44:00 AM by lawryll
It's got to be said: making it mandatory, in law, for software to have an "uninstall" function is nuts. In many environments, such as Unix "make install" paths, it's expected that the software will *not*; it would take terrible contrivances to fit a complete uninstall path (eg. saving and restoring backups) into them. It's easy on systems where applications are typically installed to isolated directories, but not all systems follow that paradigm.
This is a problem to be solved by technical means. It should be the norm for home PC users to run as a limited account. People should be acclimated to being prompted for a password to authorize installation of software, with explicit authorization for installing drivers. That's a much more promising long-term solution than asking lawmakers to start bending arms, and risk the razor-thin balance that implies. It's also much stronger against software developed outside of the country.
2/1/2006 8:58:00 PM by Glenn Maynard
Well we speak about Sony right?
They still got a lot of devices outside and with there use you can also have your pc insecure and your privacy violated.
Example PSP (PlayStationPortable):
Nice piece of hardware for Kids.
-The prices are dropping and new games with online features are coming out.
Also new content can be downloaded from http://www.yourpsp.de/ for example...
But to do this you have to go through hell:
- first of all you need to have Java Virtual Machine installed on your computer. (Without, you only get a error message. No alternative way)
- After the true security nightmare begins: You have to allow a Java applet with invalid security certificate. (Warnings: permit access to hardware , invalid certificate date)
- Then the applet checks for the connected memorystick, in a cardreader or in the psp plugged via usb into windows like any other storage device. (for exampele like a harddisks)
- After the applet has checked the memorystick remotely for savegame data, the content is finaly downloaded.
Untill now only sony knows what informations there applet is checking, scanning and transmitting.
But after all, we are talking about a gameing device for kids.
3/20/2006 5:14:00 AM by madsky
It has now been nearly three months since Sony Music/BMG settled this case, and there are still some major problems - namely, Sony has
lived up to their end of the agreement.
First, CDs with the offending "Content Protected" software were supposed to have been recalled from the stores. Any time I go into a store now that sells CDs, I make it a point to search out artists I know are on Sony/BMG, and I ALWAYS find discs with this software on the shelves. I often call for a manager, and point out that these were supposed to have been pulled, and they give me the "deer in the headlights" look. (Also, I usually find discs with "C-P" software that weren't on Sony/BMG's list of titles they published on their website. Shame!)
Second, I have yet to see any type of advertisements that Sony/BMG was supposed to take out in major-market publications and on the Web announcing the settlement and offer of disc trade-in. C'mon, you've had three months. How much time do you need?
I should also note that I have begun contacting libraries in my area that have discs with "Content-Protected" software in their collections. Sony should have been forced to replace those copies in public libraries as well as in the marketplace; as long as there is even one copy left on a shelf somewhere, Sony/BMG can do their nasty work.
Mark, don't let this issue die. You forced Sony into a settlement (albeit one I think amounted to a slap on the wrist), now Sony needs to be forced into action yet again.
4/9/2006 8:45:00 AM by Christopher Thelen
Maybe interesting to know, but Norton antivirus 2005 doesn't uninstall I would say a lot, hearing from many end users. I tried this in VMware, to see for myself. Sure enough it took more than one hour to go through the process of uninstalling, when using the add and remove program files method, with error messages popping up. Well, I had the the 2005 NAV remove everything file but this reported it no longer is allowed to be used, because it's expired! It did provide an URL, which takes you to Symantec online install an activeX to get the new version to uninstall for the old NAV 2005. In plain English, if you don't have NAV working right, and want to uninstall it, NAV no longer allows you to do this, unless you can go onine and get the most recent uninstall file. What are the chances of some end user able to do that if NAV isn't working and needs to be uninstalled? Would any end user actually want to go online during a time like this also?
Conclusion: After 3 hours I managed to uninstall, and install NAV back with the reboots...
Doesn't all this seems a bit too much, as it only takes about 60 minutes to install Windows as a clean fresh new install...
What I don;t like is the fact, NAV 2005 and perhaps 2006 (?) doesn't uninstall everything, if at all it does the job. So then you need to get the special uninstall file "SymNRT.exe" which is called "Symantec Removal Utility" to remove your NAV 2005. But remember from the above, if you had this before, having downloaded back then when your were offered this, you discovered it expires! Whom would ever think to expire an uninstall? What do you call that?
And for the fact that an end user must go online to get the new not expired same file almost, before 645KB, the new version was 677KB, after having to okay about three times an activeX install.
I watched the regedit add some new entrees after this, also. Why are new entrees being added to uninstall NAV 2005?
Don't beleive me, try this yourself and see!
All this is too much time and effort for say my mother to contend with. I sure would not tell her to pay money to sit in front of her PC for more than an hour to uninstall what doesn't work to then go online to fetch after activeX demands three times, to get a 677KB file to do it...
Just trying to my a point so everyone will not let this become normal...
8/25/2006 3:02:00 AM by Anonymous
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.