November 30, 2005
Java has also announced that they have some big security holes in their software that need patching. This announcement is for those running Java from Windows, Linux, and Sun Solaris. Get yourself updated if you use Java.
And Firefox has just released its latest browser upgrade - 1.5. So if you are going to upgrade the Java that runs with your Firefox browser... you might as well upgrade the browser too!
And last of all - for you Microsoft users... have you patched lately??? If not - please consider heading over and patching up your system today... although I will admit that Patch Tuesday (the first Tuesday of the month) is next week, still, it's better to be up to date whenever possible.
November 23, 2005
In other Sony news yesterday, Slashdot linked to an article by Gartner on defeating the malware on existing CDs. Unfortunately - Gartner wasn't very specific about the "fingernail size piece of tape" needed. Nor did they show their work. I find that to be unfortunate - if they're going to write about it - they should be more specific. Being cagey about it at this stage is just silly.
I didn't do a google search - I would be willing to bet that someone out there has specific instructions and diagrams.
November 18, 2005
"CNET News.com is reporting that a critical vulnerability has been found in some versions of Apple's popular iTunes that could allow attackers to remotely take over a user's computer, according to a warning issued by eEye Digital Security, a security research firm. The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X, according to the advisory. The discovery of this latest flaw comes days after Apple issued its iTunes 6 for Windows security update."
So - all you Apple i-Tunes people - check it out and update your security please!
November 15, 2005
Apparently they've been taking lessons from Microsoft... where the patch that's supposed to fix things - really makes it all worse.
Stung by the controversy, Sony BMG and the company that developed the antipiracy software, First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that uninstalls XCP.
But the uninstaller has created a new set of problems.
To get the uninstall program, users have to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet.
According to the Princeton analysis, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet.
"The consequences of the flaw are severe," Felten and Halderman wrote in a blog posting Tuesday. "It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get." [emph mine --ed]
I have to wonder - do they have ANYONE at Sony who understands computer security? Or were the computer security gurus of the company simply overruled by upper management (this happens so often it's not even funny). It is nearly to the point of being a complete farce - they just keep digging deeper instead of stopping and trying to find a way out.
Unfortunately this is what happens when a company believes that the end justifies the means. They knew what they were doing when they created the rootkit. They knew it installed secretly and that it was not easily removable. Thus they thought they could gain some control over the pirating of their music.
If someone in my neighborhood had a factory in their basement and was turning out pirated CD's to give away... Sony would NOT have the right to search every house in the area and find that factory. They would NOT have the right to install monitoring equipment in my house to be sure I don't copy their music! As a matter of fact, that would all be.... wait for it.... ILLEGAL!!!
They would have to take the novel approach of making a complaint to the police, have the police gather evidence, and - if they were able to make a good enough case to get a search warrant to search the premises, and finally an arrest warrant when there is enough evidence that a person is breaking the law.
Unfortunately the entertainment industry has forgotten about little things like evidence, search warrants, police... They've become a group of vigilantes and they're out to lynch those they believe are stealing from them. The problem is they don't seem to mind if they take out a bunch of innocent people along the way. Or maybe they think all of their customers are criminals in training... only waiting for that moment when they too can start copying CD's and pirating music.
Sony and all the other entertainment providers should have to go about this the same way that everyone else must - though legal channels. Talk about suspending the Bill of Rights! Why aren't the artists up in arms about this? Why aren't they out there condemning this type of action against innocent people? They're quick enough to screech in highly unpalatable tones about having their "free speech" rights denied to them (even though that has never happened). Why aren't The Dixie Chicks leading the charge against these marauders who seem to feel they can do whatever they want with private property?
I'll be waiting to see if any "artist" speaks out against this. It will be interesting to see how many (if any) feel that your right to have a privacy is more important than Sony's right to find a few pirates.
*** note that I would have some sympathy for Sony if I felt they were actually sorry for getting themselves into this position. As it stands, they seem to feel they have done nothing wrong. That's pretty scary when you think about it. BTW - they're offering to swap CD's - if I actually had any of the offending CD's (which I don't) I would be very leery of a swap. Who's to say they don't have yet some other little trick up their sleeve and you end up in worse shape than before.
If you're one of the unlucky ones who got stuck with this garbage on your computer... I would seriously consider backing things up and reinstalling the OS. Or hit up Mark Russinovich to find out the latest on the technical aspects.
November 14, 2005
Interesting. Headlines being the misleading creations of deluded brains - they are often completely at variance with the actual story itself... so it must naturally be checked out. Or at least as checked as possible. (We're still talking about 99% of news sources getting their info from one source and it just gets passed around)
WASHINGTON - Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.
How big of them! So they're going to "temporarily suspend" the making of these CD's with the rootkit. How do we know which CD's have it and which don't? After all according to some accounts there could be up to 2 million CD's in circulation with the rootkit on them. Are they going to label them or do we get to guess? Considering the way Sony has handled this entire mess - my money is on the guesswork. If anyone is still buying their stuff. For that matter... how do we know that they are actually putting out CD's without the rootkit? After all it took a top of the line computer guru to find it in the first place!
Here is the statement that I have found in each of the articles I've read.
"We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," the company said in a statement.
You just have to like that nice vague statement. The goals of security they talk about... are goals of their own security. They have absolutely zero interest in YOUR computer security. After all - it's been about 15 days since the rootkit was brought to light... but it was only AFTER a trojan had been released that Sony even acknowledged that there might possibly be a problem.
Of course you know they are only waiting for the hue and cry to die down...
He [Mark Russinovich] said Sony did not admit any wrongdoing, nor did it promise not to use similar techniques in the future.
I can't remember all the laws that have come about in the past few years on computer security and privacy. But this made me wonder if we don't have any laws yet to prosecute this kind of thing...
"It's very important to remember that it's your intellectual property, it's not your computer," Baker said at a trade conference on piracy. "And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."
And it's REALLY important to let people know you will be installing garbage on their computer. It's even more important to give your customers a way to remove this junk reliably.
Last of all - Marketing 101 lesson for Sony... Don't piss off the geeks - they will come after you!
November 11, 2005
Thus we come to this story.
AMSTERDAM (Reuters) - A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.
Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos.
When recipients click on an attachment, they install malware, which may tear down a computer's firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden -- the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.
It usually doesn't take long for an exploit to be published... I just couldn't resist the urge to say "I told you so!" to Sony. "You MORONS!" also comes to mind.
I was happy to see that people aren't taking this.
The software sparked a class action lawsuit against Sony in California last week, claiming that Sony has not informed consumers that it installs software directly into the "roots" of their computer systems with rootkit software, which cloaks all associated files and is dangerous to remove.
Good for them! I hope they win and Sony has to pay the price. That's what you get for trying to be sneaky and especially for installing malicious software on a system! But even better...
Sophos said it would have a tool to disable the copy protection software available later on Thursday.
Yay Sophos! Brilliant move - treating it like malicious spyware! Good for you!
What's Sony's take? Well naturally they are pure as the driven snow and have done no wrong... they only want to protect their interests... That protecting their interests means they have to tromp all over yours - well they really didn't mean to... honest!
Sony BMG made a patch available on its Web site on Tuesday that rids a PC from the "cloaking" element that is part of the copy-protection software, while claiming that "the component is not malicious and does not compromise security."
The patch does not disable the copy protection itself.
The Sony copy-protection software does not install itself on
Macintosh computers or ordinary CD and DVD players.
Doesn't matter anymore WHAT Sony "claims" - they've forfeited trust. Plus -they are still claiming the component is NOT malicious.... I wonder what they consider to be malicious? Plus we can see they have discriminated against PC users! It doesn't effect the Mac... nor (although it doesn't specifically say it) does it effect Linux.
I REALLY hope the lawsuit wins (although I am seldom in favor of them - this is just egregious). And I hope enough people stop buying their CD's that it MAKES them remove the stupid copy protection to try and get sales back.
We would never allow Sony to waltz into our houses and stick cameras all around - to be sure we aren't illegally copying their CD's - so why is it okay for them to do exactly that on our computers? Very.Bad.Move.Sony. It's going to be a long time - if ever - until you are trusted again.
November 04, 2005
It seems that Sony, in an effort to stop pirating of music, has developed a rootkit that it secretly installs on your system when you go to play the CD. Yes, a rootkit is a VERY BAD thing.
I can see many people's eyes glazing over... rootkit (they mumble to themselves) what's that? one of those geeky things that people who are really into computers worry about but I don't have to... Stop!!! Stop right there - this is not something to ignore... not if you want your system to continue to run correctly.
From CNET comes the following...
But let me start at the beginning. On Monday, October 31, alert users discovered that Sony BMG is using copy-protected CDs to surreptitiously install its digital rights management technology onto PCs. You don't have to be ripping the CD, either--just playing it from your CD-ROM drive triggers the installation. The software installs itself as a root kit, which is a set of tools commonly used to make certain files and processes undetectable, and they're the favored tool of crackers who are, as Wikipedia puts it, attempting to "maintain access to a system for malicious purposes." In fact, root kits are often classified alongside Trojan horses. And Mark Russinovich, who created a root-kit detection utility and was one of the first to blog about the Sony intrusion, discovered another little gem when he tried to remove the DRM drivers. It broke his computer--disabling his CD drive.[emph mine --ed]
Okay so, they've installed software on your system without your knowledge... And you think... well, I don't care if it's there - it doesn't bother me... I'll just listen to the music. Others think... I'll just get rid of it... You didn't think it would be as easy as that now did you?
Think again. And here is the big HUGE reason why this is so bad - thanks to Alex Halderman at Freedom to Tinker - he puts it in very plain English that even the least techy among us can understand...
Once the driver is installed, there’s no security mechanism in place to ensure that only the XCP2 software can use it. That means any application can make itself virtually invisible to standard Windows administration tools just by renaming its files so that they begin with the string “$sys$”. In some circumstances, real malicious software could leverage this functionality to conceal its own existence.
That's right folks - Sony's little software package not only allows THEM to mess with your system... but any other malware can make use of it too in order to hide itself... NO MATTER WHAT OTHER PROTECTION YOU HAVE IN PLACE! Think about that. You spend a big chunk of change to buy a computer... you use the firewall, you put anti-virus software on it, you put anti-spyware software on it... and then Sony comes along and WHAM it's all for nothing - they've just bypassed all your safeguards and left you wide open for other trojans or viruses to come along and play on your system... just to be sure you don't rip an extra copy of their latest song! Gee - thanks guys - ain't that just so sweet!
For those who think they can Uninstall the rootkit - thus getting around Sony's little surprise package... it breaks your CD software! Read on to find out about the person who experienced this first hand...
It's very lucky for us, that we have REALLY smart guys out there trying their best to protect us. Guys like Mark Russinovich. Here's a look at what he did to find this rootkit and how it got on his system. This man works on tools to FIND rootkits...
Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug.
What a shock that must have been - to run a tool you're working on and discover - completely by accident - that your system has been "rooted". That's the kind of thing that makes your stomach hit the ground quickly.
Go read (or should I say - attempt to read), all the gyrations he went through to find out what was on his system and how it got there. I couldn't have found it... there are very few people with the knowledge and patience to pursue this kind of work. A few more will use the tools developed by such people to keep stuff off their system... but the mainstream of people won't know what happened - their systems will just start acting funky and they may even be warned that they've picked up a virus! And what happens when you think you have a virus? You spend HOURS and DAYS trying to fix things - Sony is now added to the list of companies that think you have nothing better to do than try to fix your system...
But oddly enough - that's not even the worst part of this story. The worst part is that Sony has decided we are ALL criminals. Each of us is not only ready and willing - but is in fact actually stealing from their company - even if you LEGALLY obtained the CD and are LEGALLY listening to it on your own system. Yes, that's right - YOU have been branded as a thief, without evidence, without recourse.
Personally - I'll be reading all the labels of any CD I buy from now on. Sony will not be among my purchases. Any Sony CD I own will never ever be run on one of my computers. I HATE being accused of thievery and I REALLY HATE people who mess with my computer without my permission.
Spread the word - keep your systems safe - don't buy Sony CD's!
73 queries taking 0.0172 seconds, 251 records returned.
Powered by Minx 1.1.6c-pink.