Question: Sony DRM on the Mac
Hi drunken one,is the DRM software used by Sony/BMG (and provided by SunnComm) on the Mac platform a rootkit, like the Windows counterpart (XPC from First 4 Internet Ltd)?
engrish
No, as:
- You click through a EULA before you install it, in which you sign your computer away, like you do with most EULAs now. I found this out the hard way, and now someone in Pakistan gets my first born.
- You're told stuff is going to be installed, even if you're not told precisely what, and you type your password and stuffins, giving you two shiny kernel extensions.
However...
- Some might disagree, whether because they have a differing definition of rootkit or because Sony is currently a PR pinata. I hear Spider-Man 3 is gonna suck, too.
- I believe the term rootkit, as applied to the horror show that Sony was shipping was coined to get a point across, then picked up by the world, however we'd traditionally call it malware.
However, there are weird things in it like masking all files that start with "$sys$", so one could argue back and forth for awhile to the point where I'd lost interest and say "Agree to disagree" before we started talking about the difference between a hack and a crack.
Then again, malware doesn't necessarily mean what it used to mean either... I'm so confused.
- I'm unaware of someone having taken apart the KEXTs and looked for functionality that could be exploited by others for malicious means -- but even if it could, you'd be saying every poorly-coded kernel extension is a rootkit...
So, not a rootkit on the Mac -- just a form of DRM, and there's little about it that doesn't also apply to say, iTunes. Yeah, one is kernel-level and one is application-level, but I have a feeling that'll become technical semantics once we're on Trusted Computing hardware and such.
Posted by drunkenbatmanNovember 18, 2005, at 04:36 PM
Comments (23)
Posted by: Damien Sorresso at November 18, 2005 05:36 PM
The Mac version of the software is positively benign, mostly due to OS X's innate resilience against malware. There's no CD auto-run for starters. Then you need to enter an administrator password in order to install the stuff. And there's no way for the kernel extensions to render themselves unremovable or mask themselves as the Windows software can. A simple `sudo kextunload' followed by a `sudo rm -r' will do the trick nicely.
Posted by: at November 18, 2005 05:39 PM
What a muddled response.
I believe that was intentional... maybe i read it wrong, but i laughed the way i read it. Mark
Posted by: Chris McElligott at November 18, 2005 05:43 PM
@Nick Matsakis: I wondered that myself, does Sony install it's own player or does it somehow not allow ripping in iTunes? Or any program for that matter.
Posted by: Matt Green at November 18, 2005 05:52 PM
If the Mac software on those discs is Suncomm or Macrovision's work, then once you install it, the kernel extension it installs makes the OS ignore the CD-Audio portion of the disc. The data portion contains a special media player app that plays a set of encrypted WMA files. Depending on the particulars, it may allow you to burn a cd or transfer some or all of the files to a portable device, but not an iPod. It does not include the "cloaking" software that brought about the "rootkit" designation.
But of course, that's assuming you bother to install it.
Posted by: Ben at November 18, 2005 06:25 PM
Sysinternals didn't call it a rootkit to get a point across. They uncovered First4Internet's stuff while looking for rootkits with their product, "RootkitRevealer". The word was certainly already on their mind.
Obviously your point still stands that it's mildly debatable to call it a rootkit, but it wasn't dramatic flair either.
Posted by: Jason Terhorst at November 18, 2005 06:39 PM
By Nick's definition, it is a rootkit, because it does, in fact, call home to Sony, and provide marketing information to them about what the user is listening to. This was something that several security experts found when they poked at the Windows version a bit more. What is unclear is how the Mac version works, and if it does these same things.
Posted by: JHM at November 18, 2005 07:08 PM
By Nick's definition, it is a rootkit, because it does, in fact, call home to Sony, and provide marketing information to them about what the user is listening to.
That's "spyware".
Posted by: Mindflayer at November 18, 2005 07:23 PM
It IS a rootkit, because you have to root around to find it, then dig it out by the roots like a bad weed.
;)
Posted by: M. Frank at November 19, 2005 04:50 PM
I don't understand the debate here. The facts are clear: First4Internet used a rootkit to mask its DRM on Windows machines. The term spyware comes in because the software will also phone home to let Sony know that the CD is being used, and to get information about the disc (album name, track names, etc). Whether or not the term rootkit applies isn't an argument - they used one plain and simple.
Posted by: Damian at November 19, 2005 04:55 PM
XCP's not a rootkit, 'cos there's no "root" account on Windows; that's a *nix thing. ;-)
Seriously, I wish someone would look into what Sunncomm does to a Mac in more detail.
Posted by: Wes McGee at November 19, 2005 07:24 PM
I guess if we are going to be pendantic on definitions, this particular type of malware would be a Trojan, as close to the classical definition as one can come without involving the Greeks. The only reason it's not a 'rootkit' is because it is missing a remote control procedure for Sony to play snoop-around. But heck, in the day of automatic updates, and with it hiding anything with a "$sys$" prefix, it just one update away from becoming one. Heck, others could use it to make their rootkits. In this case it is all the more insidious because up until October 31st people trusted Sony. In this case, no amount of authentication passwords, privelege restriction or root account separation would have protected anyone from this, because who would have thought Sony would pull something like this? Sony -- one of their divisions makes computers, for psych's sake -- not some Russian mob boss... though I guess when you're in the RIAA, you may as well be a member of the Russian mafia. This wasn't crap pulled off a filesharing network. No, this was pressed and sealed with the stamp of corporate approval. Yeah, I'd have been suspicious of this on a music CD, just because, but had this been on a software-only CD, where you'd have to agree to some EULA, yes I'd click "Yes" without thinking, and let it have admin access to do the install mojo.
What's worse, they spent two weeks trying to justify it, using words not unlike those used by a certain politician when justifying sneak and peak thumbthroughs of what library books have been read. (Most people don't know what a rootkit is -- why worry? If you're not guilty of anything, why fear a wiretap...I mean a rootkit.)
Posted by: Wes McGee at November 19, 2005 08:06 PM
...and the above, I was referring to the Windows version. I have no clue what is on the mac version. I just know that Sony shouldn't be trusted on the matter anymore. If they'd go out and agree to this on Windows, I'm sure they wouldn't say no to SunComm investigating any technical weakness in OS X to do the same. I hope there's not, but I wouldn't trust my safety from them anymore.
Posted by: Wes McGee at November 19, 2005 08:16 PM
..oh, one more thing... I should stop this. Windows doesn't exactly have a root account, but it has an account that's higher level or deeper system level than the "Administrator" level that most everyone runs as -- "Local System" That's pretty much root, and yep, the XCP software Sony installs runs itself at that high of a level.
Anyway, I heard somewhere (Wired?) that a piece of software like this violates some federal cybercrime law. I also read there that the feds won't prosecute. Damnit, if this does violate some law, I want some charges pressed! If it isn't againt the law, I want someone to draft it into legislation. And I want Orrin Hatch strung out on TV and publically shamed for his comments from some years ago where he suggested that record companies should be able to damage computers like this...
(last comment, I promise!)
Posted by: undef at November 19, 2005 10:15 PM
It would be really sad if this turned out to be the first piece of malware/spyware on the Mac. And made by who? Not by some anonymous guy on the internet wanting to make a buck from spam. No, this is a big corporation. And the "rootkit" they install on windows machines is really scary, especially if they get away with it.
Posted by: Troy at November 19, 2005 11:26 PM
I agree with Wes about what makes a rootkit - it is the "feature-set" that counts, it doesn't matter what the deployment method is as far as I am concerned.
I understood that the album in question come from Sony BMG, so surely Sony just inherited this all when they bought BMG? Not that it is any excuse, but I don't think that we necessarily have to assume all the other Sony divisions (eg hardware) are up to same tricks.
I also read Mark Russinovich's blog (http://www.sysinternals.com/blog) - typically it is about much more "mundane" issues about windows internals. He gives excellent descriptions of how he investigates various issues, and certainly gives me the impression (botht from the blog and from his docco/tools) that he understands the innards of Windows better than most of Microsoft :)
Posted by: Rosyna at November 20, 2005 02:08 AM
For the OS X version, you have to find the data portion of the CD, double click on it, then find the application that installs it, and double click on that. Mac OS X does not support autorunning of applications, so it can not be exploited with it (a few versions of Mac OS 9/QT for Mac OS 9 did and that was quickly exploited, I guess Apple didn't want a rehashing of that event).
It is also important to note that audio cds when placed in an OS X box seem to automatically open iTunes. Which doesn't show the data CD portion. I'm betting most Mac OS X users will never notice the data portion, and the ones that do will be smart enough to not blindly enter their password after seeing a vague EULA with no indication of what it does.
Posted by: Damian at November 20, 2005 05:02 AM
So, not a rootkit on the Mac -- just a form of DRM, and there's little about it that doesn't also apply to say, iTunes. Yeah, one is kernel-level and one is application-level, but I have a feeling that'll become technical semantics once we're on Trusted Computing hardware and such.
Two thoughts arising from that:
1. Then why would people stick with a Mac? Lock things up too tight and people won't buy - at least, that's supposed to be the lesson arising from the sale of Sony's first new-generation portable player. Wouldn't there be an incentive to move to a completely open platform where such things would not be countenanced?
2. Even if people still bought Macs, would they buy content that was locked to the hardware? Any content providers who decided not to tie up the content they sell hand-and-foot could take market share from those who do.
What's in all this for the bands anyway? Companies like Sony cream off most of the profits. It's live appearances that make them money. They might as well sell their music as cheap downloads.
Here's one band that actually makes its back catalog available free of charge:
http://www.steadmanband.com/
I don't suppose it will be the last.
Posted by: cmholm at November 21, 2005 01:29 PM
-- Even if people still bought Macs, would they buy content that was locked to the hardware? Any content providers who decided not to tie up the content they sell hand-and-foot could take market share from those who do. --
"Could" != "Will". Who, exactly, would those providers be? At the moment, such folks are non name-brands with no marketing to speak of, and other than the EFF, no lobby in the US. Cristina Aguilera isn't distributed via mindawn.com, and hardly anyone is currently using Debian to play their tune stash.
Posted by: Peter da Silva at November 21, 2005 02:24 PM
What really ticks me off about all this is that everyone, now, is havingthe reaction to this software that they should have had to Internet Explorer back somewhere around 1997... back when Microsoft installed their back door under the name of "active content" as part of a cynical attempt to sidestep their agreement with the DoJ and kill Java.
Posted by: Peter da Silva at November 22, 2005 12:52 PM
Would you look at that, we don't need Sony to install a rootkit on Windows, it comes with one pre-installed...
Posted by: Nick at November 23, 2005 05:52 AM
Along with lawyers, prosecutors, and furious fans, artists are joining the backlash against the label:
http://www.businessweek.com/technology/content/nov2005/tc20051122_343542.htm
Artists need to - all this shenanigans benefits Sony not them.
Posted by: nessence at November 23, 2005 12:56 PM
Wish I had one of these CDs. I'd really like to know exactly what the EULA says afterall, and if Sony would watch what I listen.
Then again, I never listen to CDs on the data track. They sound like ass. I'm still surprised the iPod is such and audiophile product (it does have a damn good DSP) yet iTunes doesn't sell lossless. Then again, it's probably the RIAA.
Someone once said 'fuck em'.
What a muddled response.
The Windows software was called a "rootkit" because it modified the system to mask its presence; for example, looking at the file system using standard file system tools and APIs would not reveal the files of the First4Internet software.
This is, I believe, a misnomer. Rootkits are bundles of software that are intended to give the user (commonly called a hacker/cracker) full access to a remote machine while hiding that fact. Basically, a way to prop open a back door, if you will. While rootkits typically hide their presence, not all software that hides it's presence in that way is a rootkit. I believe the original whistle-blower actually accused Sony of using the tactics of a rootkit, but that all got muddled in the press.
Still, I think it's clear that the Sony software is malware, insofar as it takes over aspects of your computer, prevents you from using its resources, and resists attempts at removing it (by rendering your machine inoperable).
What I'm curious about is what, exactly, the Mac version of the Sony software does. Does it prevent ripping in iTunes? Other programs? Is it easy to delete? My guess is that it would fit the bill of malware, but some malware is worse than others.