racoma.com.phJ. Angelo Racoma on technology, economics, writing, problogging, and getting things done

I recently wrote about Sony/BMG’s installing a rootkit into systems that use Sony/BMG compact discs labeled with a copyright protect sticker.

This was discovered by Mike Russinovich of SysInternals, who has written a handful of articles on how the malware works.  Yes it’s malware!  Corporate giant Sony is actually installs some form of virus into your system to make sure you don’t copy music off their CDs into MP3s (and possibly distribute them–illegally)!

Check out Mark’s posts:

1. DRM Gone bad
2. Sony’s rootkit phoning home
3. Rootkit creator responds
4. Sony reaaaaaaly doesn’t want to uninstall its rootkit!

How’s that for a corporate philosophy?

And now, it looks like someone has discovered how to take advantage of the rootkit, and actually released a trojan that rides on Sony’s software to wreak havoc on users’ systems.

According to the Register,

… the malware arrives attached in an email, which pretends to come from a
reputable business magazine, asking the businessman to verify his/her
“picture” to be used for the December issue. If the malicious payload
contained in this email is executed then the Trojan installs an IRC
backdoor on affected Windows systems.

This is DRM gone bad.

We’re in the subject, anyway.  So let’s talk about DRM.

Do
you think that ripping music from a CD into MP3s and distributing them
to your friends is downright wrong because it hurts the artists?

If so, then you’re wrong.

Distribution of music digitally hurts the recording companies, and not the artists.

Do you know how much an artist makes off royalties from each CD sale?  Maybe a couple of cents to a little less than a buck!

The
big studios–the holders of the publishing rights–get to earn the big
bucks.  Yes, the recording industry works that way.  You basically get
to sell your soul to the bigwigs!  The corporate giants have the rights
to your work, and pay you pennies apiece for selling your art.

The artists earn more off gigs and concerts, and maybe other commercial endorsements.

That’s why the MPAA and RIAA are so bent on killing online music distribution–it hurts their bottom-line.  And they argue that the artists are the ones that get hit.

Huh?

There
is this argument that open distribution of art works (including music)
is actually helpful to an artist’s exposure.  Not only do more people
get to love your work, they are actually influenced to buy your
stuff–more of it–after hearing what you have to give.

Piracy?  It’s not human nature to be evil.  We’re inherently good, aren’t we?

And
I think it should be perfectly all right–and within fair use–for a
person to rip into his/her computer the contents of whatever CD or DVD
he/she legally purchases, so as to enjoy the content through other
avenues, like on a portable media player or other device.

By instituting super-secure DRM (which can actually be cracked in less than a day by DVD Jon!), the publishing outfits are making it difficult for legal users to actually use their stuff in a fair manner.

They
tend to end up making life worse for their own clients, such as with
the case of Sony.  They’re frickin’ alienating us!  They’re making
pirates out of otherwise good citizens.

And worse, they install malware on our systems.

Shame on you, Sony!

You can never curb
big-time piracy.  The big-time pirates have all the equipment,
manpower, money, and reason (profit), to crack your stuff.  We end-users only
want to enjoy listening to music or watching movies for entertainment.

Life’s hard as it is.  Please don’t complicate it more!

Good reads/resources on intellectual property, copyright, privacy, and digital rights management:

• EFF – story on Sony’s rootkit
• TWiT – episode on Sony’s rootkit
• SecurityNow – ditto!

(via DIGG)

Before inserting that Audio CD into your personal computer’s CD drive, take time to check if it has an “Copyright Protect Enhance version” label.

Sony / BMG has been found to install software called XCP–actually a rootkit–on systems where “Copyright Protect Enhance version” CDs are played, which basically limits how a consumer can use the music.

Licensed by Sony from a Banbury, U.K., company called First 4 Internet,
XCP prevents users from making more than three backup copies of any
XCP-protected CD.

Problem is that XCP is basically a rootkit.  What’s a rootkit?  Check it out here: Wikipedia, PCWorld, SecurityNow, SysInternals.

From Wikipedia:

A rootkit is a set of tools frequently used by an intruder after cracking a computer system.
These tools are intended to conceal running processes and files or
system data, which helps an intruder maintain access to a system for
malicious purposes.

Check out Mark Russinovich’s blog post here.  Mark is from SysInternals, and is the person credited for actually discovering this Sony malware.

The DRM reference made me recall having purchased a CD
recently that can only be played using the media player that ships on
the CD itself and that limits you to at most 3 copies. I scrounged
through my CD’s and found it, Sony BMG’s Get Right with the Man (the
name is ironic under the circumstances) CD by the Van Zant brothers.

And the software is reportedly so badly written that it scans
the executables corresponding to the running processes on the system
every two seconds, querying basic information about the files,
including their size, eight times each scan.

While
Sony / BMG has issued a “service pack” to XCP that allows
de-installation, the fact that the media giant installs malware on
consumers’ systems has pissed off civil libertarians and consumer
advocates.

Check out SysInternals’ rootkit revealer if you suspect you have rootkits (or other malware) on your system.

So the next time you want to rip a CD’s contents into
your PC, be careful.  You might even want to avoid buying Sony / BMG stuff altogether.

For all you know, Sony stuff might be the thing that would eventually bring
your system down!

From Computerworld: Skype may pose a security threat.

The warning comes after the disclosure this week
of two critical flaws in Skype’s software, one of which could allow
malicious hackers to take complete control of compromised systems.
…
One of the flaws is a buffer overflow error in
Skype’s user client for Windows that could allow attackers to execute
arbitrary code on compromised systems, according to a statement from the company. The other vulnerability
is a heap overflow flaw in a networking routine affecting Skype clients
for all platforms. That flaw could crash the client software.

The Skype network is basically built on the concept of distributed computing.  So it is inherent in the Skype Client to allow for the network to “control” your computer to run some processing cycles.

So better be safe.  Upgrade to the latest versions as they come out!

Via Ambot Ah!:

Take caution in using your computer’s clipboard feature (usually
Control-C in Windows or Command-C in Macs).  Some browsers are
capable of transmitting this information over the web by a combination
of Javascripts and PHP/ASP/CGI, hence presenting a security threat for
those who have a habit of copying and pasting credit card numbers,
passwords, and such sensitive information.

For example, select any text and then press Ctrl-C (or right click then click Copy, whichever you’re most comfortable with).

Then click this link.

If you’re using Internet Explorer, your copied text is bound to appear
on the website, meaning their server was able to get hold of the info
on your clipboard.  Firefox users are not affected.

Do not keep sensitive data (like passwords, creditcard numbers, PIN
etc.) in the clipboard while surfing the web. It is extremely easy to
extract the text stored in the clipboard to steal your sensitive
information.

Another reason to switch to Firefox!

I’ve been looking into anti-spam measures, and we at i.PH eventually ended up with the built-in Nucleus CAPTCHA plugin.

But this anti-spam feature enforced by Sacha on her wiki-blog is pretty interesting:

NOTE: ANTI-SPAM MEASURE NOW IN PLACE. Please answer the
following question with the right number in order to send me your
comment.

What is 1 + 1?

I guess she’d have to change this every so
often, and most likely also program her own system (email client?
wiki?) to accept only the correct answers.  But it’s an innovative
way to filter out unwanted messages, methinks.

Next anti-spam question: Key in Pi up to a thousand decimal places.