Attorney General Abbott Slaps Sony With New Spyware Violatio

[somebodeez]

Wednesday, December 21, 2005

Deceptive trade allegations added; retailers warned by letter to remove certain CD titles.

AUSTIN - Texas Attorney General Greg Abbott today bolstered his pending November lawsuit against SONY BMG Music Entertainment by adding a number of new allegations that reflect harm to consumers who purchased certain compact discs (CDs).

In November, Attorney General Abbott sued the New York-based company under the state’s new spyware law of 2005, making him the first state official in the nation to bring legal action against SONY BMG for embedding illegal “spyware” in consumer products.

In new allegations today, Attorney General Abbott invoked the Texas Deceptive Trade Practices Act. The Attorney General alleges the company’s “MediaMax” technology for copy protection violates the state’s spyware and deceptive trade practices laws in that consumers who use these CDs are offered a license agreement, but even if consumers reject that agreement, files are secretly installed on their computers that pose additional security risks to those systems.

“We keep discovering additional methods SONY used to deceive Texas consumers who thought they were simply buying music,” said Attorney General Abbott. “Thousands of Texans are now potential victims of this deceptive game SONY played with consumers for its own purposes.”

The Attorney General’s lawsuit asserts the company failed to clearly warn consumers of the harm its copy protection software could cause when installed on consumers’ personal computers, and the fact that files secretly embedded in certain CDs purchased at retailers would likely compromise computers.

The article continues:
http://www.oag.state.tx.us/oagNews/release.php?id=1370

[GullyFoyle]

This is what a hacked rootkit can do.
https://www.videohelp.com/forum/viewtopic.php?t=287859&highlight=

BitTorrent Reloaded: Unauthorised installs lead to pirated
http://www.vitalsecurity.org/2005/12/bittorrent-reloaded-unauthorised.html
Quote:
Yep, the title is a mouthful but you heard it correctly: those crazy guys behind the Middle-East connected Rootkit-powered Botnet (phew! mouthful alert) experimented with something I haven't seen before, and we have the details over at Spywareguide.com.

In short - along with the second wave of installs that prompted FaceTime to go public with their findings (that would be my guys), the group behind all this auto-installed a version of BitTorrent onto the PCs already infected with the Lockx.exe Rootkit - crazy enough, yes? But then they went one further and started pumping movie files down the pipes, onto a sizeable chunk of those infected machines. You can, of course, see some of the BitTorrent files placed onto the PC in the lovely picture.

Why? Not sure. Some kind of proof-of-concept test-run? Highly likely. Especially as they cut it short, and went back to goofing around with more rootkits. Thing is, I've heard rumours (on the Internets) that some other hacking groups have picked this technique up, and will be running with it shortly.

Better to prepare the troops, right?

Bad enough these creeps are whacking PCs left, right and centre with Rootkits. Even worse that it looks like they're messing with BitTorrent and pumping movies all over the place. There's so many issues with that, I don't know where to start. What would the RIAA angle be on it? Or the other "kill the pirate" type groups? Would they crash down on anybody unfortunate enough to have ended up with this on board, their only "crime" to be whacked by a creepy Rootkit via IM?

Well, seeing as stories are currently flying about regarding people being sued for file-sharing (with no PC!), and Pearworks being rugby-tackled for providing a lyrics search facility, it's quite probable.

[painkiller]

Sounds to me like that hacker group is attempting to create illicit torrent machines (w/o owners knowledge) in order to "share" copyrighted files such as movies, software, etc.

Gee, and we have Sony to thank for that.

Can you imagine being rousted from your home because your computer hooked to broadband was doing something you didn't know about?

And just think, ignorance of the law is no excuse.

[gadgetguy]

And just think, ignorance of the law is no excuse.

Ignorance of the law has nothing to do with it. This is ignorance of the actions performed by your computer deliberately perpetrated by parties willfully violating the law. The question becomes whether you can be held responsible for these actions by others.

[SCDVD]

Some of these dubious people that are using things like BitTorrent file downloads are no doubt using this as a test and development scheme for other more sinister objectives. Use something "benign" such as movies to test and debug your evil intended scheme and then its ready to roll with its real "payload". How about this scenario for example: Mail a "target" a "gift" of a Sony music CD. The recipient of this "gift" gratefully plays it on his computer and then WHAM! -- Fill in the blank _____________. The need/desire to protect intellectual property is not sufficient reason to justify what Sony has done.

[somebodeez]

but even if consumers reject that agreement, files are secretly installed on their computers that pose additional security risks to those systems.

Absolutely nothing justifies that.

[ROF]

I'm not surprised to see these additions to the lawsuit brought by the State of Texas against Sony Corp.

From my earlier testing (please no comments) I was able to determine that even if you declined the EULA, software was still installed that enabled Sony at presumably a later date to track your declining to install the media player and subsequent rootkit.

When you decline a software installation agreement any temp files or otherwise installed software should be removed as you have declined to use their product.

[adam]

The question becomes whether you can be held responsible for these actions by others.

Well the real question is whether you can prove that these are the actions of others. If so then no you definitely cannot be held responsible.

But there's no evidence that the Sony rootkit can be used in such a manner anyway and there has been substantial attention given to plugging the hole it creates and in recalling all affected CDs. The fallout over the rootkit is being bourne by Sony, not so much by consumers. This is definitely a good thing.

[rkr1958]

The question becomes whether you can be held responsible for these actions by others.

Well the real question is whether you can prove that these are the actions of others. If so then no you definitely cannot be held responsible.

I only thought you needed a "reasonable doubt" ... am I mixing criminal versus civil ... what's the standard for civil?

[somebodeez]

The question becomes whether you can be held responsible for these actions by others.

Well the real question is whether you can prove that these are the actions of others. If so then no you definitely cannot be held responsible.

Sony was informed about the risks using a Rootkit and Sony went ahead with it anyway. (I can't locate the link for that article ATM).
Surely that should be a factor. (?)

[Rich86]

I think Sony failed the "have you been good this year" Santa Claus test big time - and is getting the proverbial stocking full of coal for Christmas. Hopefuly this particular stocking full of coal will dirty up the board room and linger on their balance sheets for a long time, possibly teaching Sony - and potentially other music/video manufacturers an important lesson. They DO NOT have the right to do anything they can dream up to muck around with their customers computers in their misguided pusuit of addressing their phobia concerning copy prevention.

[adam]

rkr1958: The reasonable doubt standard applies to all criminal proceedings. The standard of proof for civil actions depends on the cause of action. For copyright infringement the copyright holder must prove several elements by a preponderance of the evidence. This is usually easily done since P2P activity creates a log of the infringement which is indisputable meaning that somone used that account to do the infringement. So the burden would be on the defendant to show that it wasn't them but rather someone else accessing their unsecure network.
If they can do this then they are not guilty of copyright infringement, and no court is going to hold them vicariously liable for copyright infringement for failing to secure their network/weed out backdoor, etc... Our society is no where near that computer literate to hold people to that standard, and it probably never will be.

somebodeez: I dont see any connection whatsoever between Sony's actions and potential copyright infringements being done by someone else. If someone were essentially framed by being setup as a node for distribution, without their knowledge, it makes no difference how their system was compromised. It doesn't matter if its because of Sony's rootkit (like I said I really think this is a silly suggestion anyway since there is no evidence it could be used this way. The only thing rootkits have in common are their high heirarchical location. Whether they could be used to run a hidden bittorent client depends on the bugs in the code, so you might as well make the same argument for any software ever made) or some script kiddie hacking you, or because some burglar breaks into your house and uses your computer. If the person didn't do it they simply didn't do it and can't be held responsible. Unless the copyrighted material that was infringed upon was owned by Sony, they wouldn't even be a party to the suit. If Sony was in fact the one suing then it would be an ironic defense to claim that your system was compromised because of their own copyright protections, but Sony's culpability would still be irrellevant. Either you were the one downloading or you were not.

[somebodeez]

My mistake.
I was still focused on Sony - not copyright infringments.
I promise to try to read more thoroughly.