Quake3World

Dr_Watson wrote:heh, interestingly its been boosting sales of client security... shit like this has been making companies paranoid, since any employee that stuffs a music cd into a computer on the network is now capable of causing issues.

exactly.

THIS is where i can see disabling of autorun in a corporate environment would be a good thing.

+JuggerNaut+ wrote:

Grudge wrote:http://www3.ca.com/securityadvisor/pest/collateral.aspx?cid=76351

as far as some of these CD's go (Switchfoot's for sure), you cannot play the music on any other media player other than the one that's on the CD.

Exactly. And even if you play it with that media player you'll only get some crappy 96kb/s quality, since it won't play the actual CD track. That's why you should go and return the CD to the shop and tell them that you won't buy any CD's that you can't fucking play.

And then go home and fire up SoulSeek or BitTorrent if you really want to listen to the music.

http://www.theregister.co.uk/2005/11/10 ... rm_trojan/

fuckin lol

Grudge wrote:

+JuggerNaut+ wrote:

Grudge wrote:http://www3.ca.com/securityadvisor/pest/collateral.aspx?cid=76351

as far as some of these CD's go (Switchfoot's for sure), you cannot play the music on any other media player other than the one that's on the CD.

Exactly. And even if you play it with that media player you'll only get some crappy 96kb/s quality, since it won't play the actual CD track. That's why you should go and return the CD to the shop and tell them that you won't buy any CD's that you can't fucking play.

And then go home and fire up SoulSeek or BitTorrent if you really want to listen to the music.

even JuGGz might resort to that

AmIdYfReAk wrote:http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/

fuckin lol

and so it begins...

+JuggerNaut+ wrote:

AmIdYfReAk wrote:http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/

fuckin lol

and so it begins...

Let's hope the cunts get sued for billions. I don't forsee any more Sony purchases in my future, thats for sure.

riddla wrote:mmmmmm, SAVCE 10.0.1.1007 goodness

Yeah but it won't block installations and won't remove it, it will only detect it :icon8:

Click for Symantec's response

riddla wrote:of course, but detection is 9/10 of the battle with these things.

Quite agreed. I have RIS to take care of the rest once I know a station has been compromised. 30 mins and the OS is completely reinstalled and all apps installed as part of the process with no manual intervention required. It gives me the confidence of knowing a machine is completely clean.

Here come the lawsuits...

http://www.theregister.co.uk/2005/11/10 ... r_rootkit/

from that article:

The Electronic Frontier Foundation has also examined Sony's End User License Agreement which consumers now agree to when buying Sony CDs. Aside from letting Sony install any software they like on your computer it also covers what you can do with stored copies of the CD.

EULA's are the weirdest things ever. I still don't see how they could be legally binding (I remember hearing that they aren't here in the Netherlands), because:

1 - You cannot read a EULA prior to buying the product. If you do not agree with the EULA, then the product is already in your hands.
2 - EULA's are filled with legal blah blah, language the average person doesn't understand. They're also extremely lengthy and probably filled with a lot of hot air. I find it rather unbelievable that a consumer is expected to read and understand something like that.
3 - Companies can put anything in a EULA that they want. As long as it's obscured in enough completely not understandable legal language, they can do pretty much everything to your PC and call it legal, because Sony bloody well knows no person on earth ever reads a EULA.

R00k wrote:Here come the lawsuits...

http://www.theregister.co.uk/2005/11/10 ... r_rootkit/

Sony, Sony, Sony...

Eraser wrote:from that article:

The Electronic Frontier Foundation has also examined Sony's End User License Agreement which consumers now agree to when buying Sony CDs. Aside from letting Sony install any software they like on your computer it also covers what you can do with stored copies of the CD.

EULA's are the weirdest things ever. I still don't see how they could be legally binding (I remember hearing that they aren't here in the Netherlands), because:

1 - You cannot read a EULA prior to buying the product. If you do not agree with the EULA, then the product is already in your hands.
2 - EULA's are filled with legal blah blah, language the average person doesn't understand. They're also extremely lengthy and probably filled with a lot of hot air. I find it rather unbelievable that a consumer is expected to read and understand something like that.
3 - Companies can put anything in a EULA that they want. As long as it's obscured in enough completely not understandable legal language, they can do pretty much everything to your PC and call it legal, because Sony bloody well knows no person on earth ever reads a EULA.

i don't agree with #3. they're not tough to read. people are just lazy and clickers. of course Sony knows most people don't read EULA's and all other companies know this too.

the argument is that Sony should have put exactly what's being installed in the EULA in the first place. if they had, they wouldn't be going through this sweating, which they are now.

The Quake 3 EULA is a 5 page document.
I don't feel that it's fair to expect everyone to read something like that prior to installing any piece of software. Clicking on an "ok" or "next" button shouldn't legally bind me to something to that.

While I do think that it's okay for a EULA to proclaim protection of the software, such as copyrights things and how you're not allowed to copy stuff. A EULA, however, should not be used to "allow"software to be installed without the user's consent.

Eraser wrote:The Quake 3 EULA is a 5 page document.
I don't feel that it's fair to expect everyone to read something like that prior to installing any piece of software. Clicking on an "ok" or "next" button shouldn't legally bind me to something to that.

While I do think that it's okay for a EULA to proclaim protection of the software, such as copyrights things and how you're not allowed to copy stuff. A EULA, however, should not be used to "allow"software to be installed without the user's consent.

i still don't agree. it's their right to include this, but it's NOT their right to NOT include such information in any EULA. if you care not to read it, and it states it's installing such and such software, then there should be no whining after the fact. the company has a right to cover its @ss.

Would it be legal for Microsoft to install a backdoor into their OS that noone knows about but them? Even if they included it in the fine print of their license agreement?

The Law is the Law. Companies can put anything they want in an EULA but if it doesn't comply with the Law, it's worth squat. Else we'd all be sporting bumper stickers saying "I won't be held liable if I bump into you".

R00k wrote:Would it be legal for Microsoft to install a backdoor into their OS that noone knows about but them? Even if they included it in the fine print of their license agreement?

and who says they haven't? i didn't say that just by noting it in the EULA that the installation of software with this kind of potential was "legal". no one knew anything about what it does until Russinovich popped it wide open.

Sony got busted for NOT expressing that software will be installed if auto-run is enabled, and now upon further investigation by Russinovich, dug Sony an even deeper hole.

I think you're mincing words there though. For one, it's not the potential we're talking about. Sony's contractor intentionally made the software do what it does. Obviously they didn't intend other people to exploit it, but they didn't intend others to even find out about it.
Secondly, I don't think Sony got busted for not expressing that autorun should be disabled to avoid installing hidden software; it's the fact that they did not intend to tell anyone - that telling people about it was the explicit opposite of the software's functionality - that has destroyed their reputation.

I know most market analogies don't work with PC software due to its nature - but imagine if you took your car to a mechanic, and while they were changing the oil, they installed a device that used your engine's power to transmit mileage and usage data back to their office. So for every gallon of gas you bought, you would be donating a few cents of it to help their company with its marketing, without ever consenting or even knowing it.

R00k wrote:I think you're mincing words there though. For one, it's not the potential we're talking about. Sony's contractor intentionally made the software do what it does. Obviously they didn't intend other people to exploit it, but they didn't intend others to even find out about it.
Secondly, I don't think Sony got busted for not expressing that autorun should be disabled to avoid installing hidden software; it's the fact that they did not intend to tell anyone - that telling people about it was the explicit opposite of the software's functionality - that has destroyed their reputation.

I know most market analogies don't work with PC software due to its nature - but imagine if you took your car to a mechanic, and while they were changing the oil, they installed a device that used your engine's power to transmit mileage and usage data back to their office. So for every gallon of gas you bought, you would be donating a few cents of it to help their company with its marketing, without ever consenting or even knowing it.

i think that you think that i don't agree with you. i'm merely stating that by intially NOT including something regarding any kind of software install in the EULA that they were obviously hiding this fact all along. and since we now know pretty much what it does, we can assume that this was no "mistake" on their part.

again though, they would still have SOME footing in court if they had any basic statement of software installation in the EULA.

now they're hosed.

Ah, I misunderstood you then.

R00k wrote:Ah, I misunderstood you then.

nah, looking a back at my post, i should have waited to reply when i got home. i was in a rush.

for those that are just looking at this thread and don't want to check out all the links, here's a summary of what has transpired so far:

The DRM software Sony has been shipping on many CDs since April is cloaked with rootkit technology:

* Sony denies that the rootkit poses a security or reliability threat despite the obvious risks of both
* Sony claims that users don’t care about rootkits because they don’t know what a rootkit is
* The installation provides no way to safely uninstall the software
* Without obtaining consent from the user Sony’s player informs Sony every time it plays a “protected” CD

Sony has told the press that they’ve made a decloaking patch and uninstaller available to customers, however this still leaves the following problems:

* There is no way for customers to find the patch from Sony BMG’s main web page
* The patch decloaks in an unsafe manner that can crash Windows, despite my warning to the First 4 Internet developers
* Access to the uninstaller is gated by two forms and an ActiveX control
* The uninstaller is locked to a single computer, preventing deployment in a corporation

Consumers and antivirus companies are responding:

* F-Secure independently identified the rootkit and provides information on its site
* Computer Associates has labeled the Sony software “spyware”
* A lawfirm has filed a class action lawsuit on behalf of California consumers against Sony
* ALCEI-EFI, an Italian digital-rights advocacy group, has formally asked the Italian government to investigate Sony for possible Italian law violations.

tx for the forward jug - informative shit.

not a problem, mang.

holy shit - just took a deeper look at the sysinternals site - definitely a top quality resource.