November 30, 2005

Time to Patch Again...

This just in... if you use Apple OSX - new critical patches have been released today. Don't think you're impervious to internet rats out there just because you use Apple instead of Microsoft! That's the way to end up in BIG trouble.

Java has also announced that they have some big security holes in their software that need patching. This announcement is for those running Java from Windows, Linux, and Sun Solaris. Get yourself updated if you use Java.

And Firefox has just released its latest browser upgrade - 1.5. So if you are going to upgrade the Java that runs with your Firefox browser... you might as well upgrade the browser too!

And last of all - for you Microsoft users... have you patched lately??? If not - please consider heading over and patching up your system today... although I will admit that Patch Tuesday (the first Tuesday of the month) is next week, still, it's better to be up to date whenever possible.

Happy Patching!

Posted by: Teresa in WebTech at 08:24 AM | Comments (2) | Add Comment
Post contains 171 words, total size 1 kb.

November 23, 2005

A Little More Sony

As Grau notes Texas is suing Sony under Anti-Spyware laws. I'm glad to see them taking some sort of action - although I do wish it was criminal proceedings rather than a civil court suit... at the moment, I guess I'll take what I can get. The law is having a difficult time keeping up with the changing nature of technology. Eventually we'll get there.

In other Sony news yesterday, Slashdot linked to an article by Gartner on defeating the malware on existing CDs. Unfortunately - Gartner wasn't very specific about the "fingernail size piece of tape" needed. Nor did they show their work. I find that to be unfortunate - if they're going to write about it - they should be more specific. Being cagey about it at this stage is just silly.

I didn't do a google search - I would be willing to bet that someone out there has specific instructions and diagrams.

Posted by: Teresa in WebTech at 07:42 AM | Comments (2) | Add Comment
Post contains 160 words, total size 1 kb.

November 18, 2005

Apple i-Tunes Security Update

Yes, even Apple has its security problems! Lots of people like to think they are kept safe if they stick with Apple. But via Slashdot we have the following...

"CNET is reporting that a critical vulnerability has been found in some versions of Apple's popular iTunes that could allow attackers to remotely take over a user's computer, according to a warning issued by eEye Digital Security, a security research firm. The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X, according to the advisory. The discovery of this latest flaw comes days after Apple issued its iTunes 6 for Windows security update."

So - all you Apple i-Tunes people - check it out and update your security please!

Posted by: Teresa in WebTech at 11:31 AM | Comments (1) | Add Comment
Post contains 128 words, total size 1 kb.

November 15, 2005

Oops They Did It Again...

And the Sony Saga continues. I could make an entire blog career just following all the missteps Sony has been making in it's attempt to prevent music piracy. Today we find out about the Uninstall program. It's the bit that's supposed to remove the rootkit that the original CD installed.

Apparently they've been taking lessons from Microsoft... where the patch that's supposed to fix things - really makes it all worse.

Stung by the controversy, Sony BMG and the company that developed the antipiracy software, First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that uninstalls XCP.

But the uninstaller has created a new set of problems.

To get the uninstall program, users have to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet.

According to the Princeton analysis, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet.

"The consequences of the flaw are severe," Felten and Halderman wrote in a blog posting Tuesday. "It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get." [emph mine --ed]

I have to wonder - do they have ANYONE at Sony who understands computer security? Or were the computer security gurus of the company simply overruled by upper management (this happens so often it's not even funny). It is nearly to the point of being a complete farce - they just keep digging deeper instead of stopping and trying to find a way out.

Unfortunately this is what happens when a company believes that the end justifies the means. They knew what they were doing when they created the rootkit. They knew it installed secretly and that it was not easily removable. Thus they thought they could gain some control over the pirating of their music.

If someone in my neighborhood had a factory in their basement and was turning out pirated CD's to give away... Sony would NOT have the right to search every house in the area and find that factory. They would NOT have the right to install monitoring equipment in my house to be sure I don't copy their music! As a matter of fact, that would all be.... wait for it.... ILLEGAL!!!

They would have to take the novel approach of making a complaint to the police, have the police gather evidence, and - if they were able to make a good enough case to get a search warrant to search the premises, and finally an arrest warrant when there is enough evidence that a person is breaking the law.

Unfortunately the entertainment industry has forgotten about little things like evidence, search warrants, police... They've become a group of vigilantes and they're out to lynch those they believe are stealing from them. The problem is they don't seem to mind if they take out a bunch of innocent people along the way. Or maybe they think all of their customers are criminals in training... only waiting for that moment when they too can start copying CD's and pirating music.

Sony and all the other entertainment providers should have to go about this the same way that everyone else must - though legal channels. Talk about suspending the Bill of Rights! Why aren't the artists up in arms about this? Why aren't they out there condemning this type of action against innocent people? They're quick enough to screech in highly unpalatable tones about having their "free speech" rights denied to them (even though that has never happened). Why aren't The Dixie Chicks leading the charge against these marauders who seem to feel they can do whatever they want with private property?

I'll be waiting to see if any "artist" speaks out against this. It will be interesting to see how many (if any) feel that your right to have a privacy is more important than Sony's right to find a few pirates.

*** note that I would have some sympathy for Sony if I felt they were actually sorry for getting themselves into this position. As it stands, they seem to feel they have done nothing wrong. That's pretty scary when you think about it. BTW - they're offering to swap CD's - if I actually had any of the offending CD's (which I don't) I would be very leery of a swap. Who's to say they don't have yet some other little trick up their sleeve and you end up in worse shape than before.

If you're one of the unlucky ones who got stuck with this garbage on your computer... I would seriously consider backing things up and reinstalling the OS. Or hit up Mark Russinovich to find out the latest on the technical aspects.

Prior posts are here, here,a and here.

Posted by: Teresa in WebTech at 01:41 PM | Comments (2) | Add Comment
Post contains 855 words, total size 5 kb.

November 14, 2005

Aren't They Swell!

Over the weekend I received an email from my blog daughter Mathcog Idiocy with a link to an article about Sony. The headline screams...

Sony to Suspend Making Antipiracy CDs

Interesting. Headlines being the misleading creations of deluded brains - they are often completely at variance with the actual story itself... so it must naturally be checked out. Or at least as checked as possible. (We're still talking about 99% of news sources getting their info from one source and it just gets passed around)

WASHINGTON - Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.

How big of them! So they're going to "temporarily suspend" the making of these CD's with the rootkit. How do we know which CD's have it and which don't? After all according to some accounts there could be up to 2 million CD's in circulation with the rootkit on them. Are they going to label them or do we get to guess? Considering the way Sony has handled this entire mess - my money is on the guesswork. If anyone is still buying their stuff. For that matter... how do we know that they are actually putting out CD's without the rootkit? After all it took a top of the line computer guru to find it in the first place!

Here is the statement that I have found in each of the articles I've read.

"We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," the company said in a statement.

You just have to like that nice vague statement. The goals of security they talk about... are goals of their own security. They have absolutely zero interest in YOUR computer security. After all - it's been about 15 days since the rootkit was brought to light... but it was only AFTER a trojan had been released that Sony even acknowledged that there might possibly be a problem.

Of course you know they are only waiting for the hue and cry to die down...

He [Mark Russinovich] said Sony did not admit any wrongdoing, nor did it promise not to use similar techniques in the future.

I can't remember all the laws that have come about in the past few years on computer security and privacy. But this made me wonder if we don't have any laws yet to prosecute this kind of thing...

"It's very important to remember that it's your intellectual property, it's not your computer," Baker said at a trade conference on piracy. "And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

And it's REALLY important to let people know you will be installing garbage on their computer. It's even more important to give your customers a way to remove this junk reliably.

Last of all - Marketing 101 lesson for Sony... Don't piss off the geeks - they will come after you!

Previous Posts... here and here.

Posted by: Teresa in WebTech at 08:59 PM | Comments (1) | Add Comment
Post contains 537 words, total size 4 kb.

November 11, 2005

Well That Didn't Take Long

The other day I was blogging about the rootkit that Sony CD's will install on your computer - if you were foolish enough to think you should be able to play music you paid for on your PC... One of the valid concerns was that the rootkit wasn't ONLY looking for a Sony CD to mess about with... oh no... any other program could use its "cloaking" feature to make itself invisible. Thus the specter of trojans and viruses using the rootkit for their own purposes....

Thus we come to this story.

AMSTERDAM (Reuters) - A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.

Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down a computer's firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden -- the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.

It usually doesn't take long for an exploit to be published... I just couldn't resist the urge to say "I told you so!" to Sony. "You MORONS!" also comes to mind.

I was happy to see that people aren't taking this.

The software sparked a class action lawsuit against Sony in California last week, claiming that Sony has not informed consumers that it installs software directly into the "roots" of their computer systems with rootkit software, which cloaks all associated files and is dangerous to remove.

Good for them! I hope they win and Sony has to pay the price. That's what you get for trying to be sneaky and especially for installing malicious software on a system! But even better...

Sophos said it would have a tool to disable the copy protection software available later on Thursday.

Yay Sophos! Brilliant move - treating it like malicious spyware! Good for you!

What's Sony's take? Well naturally they are pure as the driven snow and have done no wrong... they only want to protect their interests... That protecting their interests means they have to tromp all over yours - well they really didn't mean to... honest!

Sony BMG made a patch available on its Web site on Tuesday that rids a PC from the "cloaking" element that is part of the copy-protection software, while claiming that "the component is not malicious and does not compromise security."

The patch does not disable the copy protection itself.

The Sony copy-protection software does not install itself on
Macintosh computers or ordinary CD and DVD players.

Doesn't matter anymore WHAT Sony "claims" - they've forfeited trust. Plus -they are still claiming the component is NOT malicious.... I wonder what they consider to be malicious? Plus we can see they have discriminated against PC users! It doesn't effect the Mac... nor (although it doesn't specifically say it) does it effect Linux.

I REALLY hope the lawsuit wins (although I am seldom in favor of them - this is just egregious). And I hope enough people stop buying their CD's that it MAKES them remove the stupid copy protection to try and get sales back.

We would never allow Sony to waltz into our houses and stick cameras all around - to be sure we aren't illegally copying their CD's - so why is it okay for them to do exactly that on our computers? Very.Bad.Move.Sony. It's going to be a long time - if ever - until you are trusted again.

Posted by: Teresa in WebTech at 09:48 AM | Comments (3) | Add Comment
Post contains 624 words, total size 4 kb.

November 04, 2005

Sony Pronounces All Users Guilty

So, do you buy CD's and run them on your computer? You know... a little background music to surf by... Well, if the CD comes from Sony - you may want to rethink what you're doing... for that matter - you may want to stop buying CD's from Sony altogether... and here's why...

It seems that Sony, in an effort to stop pirating of music, has developed a rootkit that it secretly installs on your system when you go to play the CD. Yes, a rootkit is a VERY BAD thing.

I can see many people's eyes glazing over... rootkit (they mumble to themselves) what's that? one of those geeky things that people who are really into computers worry about but I don't have to... Stop!!! Stop right there - this is not something to ignore... not if you want your system to continue to run correctly.

From CNET comes the following...

But let me start at the beginning. On Monday, October 31, alert users discovered that Sony BMG is using copy-protected CDs to surreptitiously install its digital rights management technology onto PCs. You don't have to be ripping the CD, either--just playing it from your CD-ROM drive triggers the installation. The software installs itself as a root kit, which is a set of tools commonly used to make certain files and processes undetectable, and they're the favored tool of crackers who are, as Wikipedia puts it, attempting to "maintain access to a system for malicious purposes." In fact, root kits are often classified alongside Trojan horses. And Mark Russinovich, who created a root-kit detection utility and was one of the first to blog about the Sony intrusion, discovered another little gem when he tried to remove the DRM drivers. It broke his computer--disabling his CD drive.[emph mine --ed]

Okay so, they've installed software on your system without your knowledge... And you think... well, I don't care if it's there - it doesn't bother me... I'll just listen to the music. Others think... I'll just get rid of it... You didn't think it would be as easy as that now did you?

Think again. And here is the big HUGE reason why this is so bad - thanks to Alex Halderman at Freedom to Tinker - he puts it in very plain English that even the least techy among us can understand...

Once the driver is installed, there’s no security mechanism in place to ensure that only the XCP2 software can use it. That means any application can make itself virtually invisible to standard Windows administration tools just by renaming its files so that they begin with the string “$sys$”. In some circumstances, real malicious software could leverage this functionality to conceal its own existence.

That's right folks - Sony's little software package not only allows THEM to mess with your system... but any other malware can make use of it too in order to hide itself... NO MATTER WHAT OTHER PROTECTION YOU HAVE IN PLACE! Think about that. You spend a big chunk of change to buy a computer... you use the firewall, you put anti-virus software on it, you put anti-spyware software on it... and then Sony comes along and WHAM it's all for nothing - they've just bypassed all your safeguards and left you wide open for other trojans or viruses to come along and play on your system... just to be sure you don't rip an extra copy of their latest song! Gee - thanks guys - ain't that just so sweet!

For those who think they can Uninstall the rootkit - thus getting around Sony's little surprise package... it breaks your CD software! Read on to find out about the person who experienced this first hand...

It's very lucky for us, that we have REALLY smart guys out there trying their best to protect us. Guys like Mark Russinovich. Here's a look at what he did to find this rootkit and how it got on his system. This man works on tools to FIND rootkits...

Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug.

What a shock that must have been - to run a tool you're working on and discover - completely by accident - that your system has been "rooted". That's the kind of thing that makes your stomach hit the ground quickly.

Go read (or should I say - attempt to read), all the gyrations he went through to find out what was on his system and how it got there. I couldn't have found it... there are very few people with the knowledge and patience to pursue this kind of work. A few more will use the tools developed by such people to keep stuff off their system... but the mainstream of people won't know what happened - their systems will just start acting funky and they may even be warned that they've picked up a virus! And what happens when you think you have a virus? You spend HOURS and DAYS trying to fix things - Sony is now added to the list of companies that think you have nothing better to do than try to fix your system...

But oddly enough - that's not even the worst part of this story. The worst part is that Sony has decided we are ALL criminals. Each of us is not only ready and willing - but is in fact actually stealing from their company - even if you LEGALLY obtained the CD and are LEGALLY listening to it on your own system. Yes, that's right - YOU have been branded as a thief, without evidence, without recourse.

Personally - I'll be reading all the labels of any CD I buy from now on. Sony will not be among my purchases. Any Sony CD I own will never ever be run on one of my computers. I HATE being accused of thievery and I REALLY HATE people who mess with my computer without my permission.

Spread the word - keep your systems safe - don't buy Sony CD's!

Posted by: Teresa in WebTech at 11:15 AM | Comments (12) | Add Comment
Post contains 1050 words, total size 6 kb.

<< Page 1 of 1 >>
57kb generated in CPU 0.03, elapsed 0.0434 seconds.
73 queries taking 0.0184 seconds, 251 records returned.
Powered by Minx 1.1.6c-pink.