[conspire] No Sony DRM around here; I'm proud of you

Rick Moen rick at linuxmafia.com
Thu Dec 8 20:37:37 PST 2005

Many of you will have followed the rather eyebrow-raising story of 
Sony / Bertelsman Music Group (BMG) and the spyware / trojan-horse / 
vendor-rootkit / security-crippling software sneaked aboard some
infuriatingly large number of that firm's audio CDs.  

This evening, down here at the annual LISA conference in San Diego, we
got a pair of amazingly good, and creative, short lectures:  One was by
cryptographer Matt Blaze, who talked briefly about physical lock
security in comparison to cryptography, and then leapt from there
directly to describing an NSF-funded project he ran to study methods 
law enforcement agencies use to conduct court-approved wiretapping.
I couldn't possibly do the talk justice, but suffice it to say that 
the Justice Department has crippled the Feds' current, supposedly
state-of-the-art CALEA wiretapping methods by insisting on
backwards-compatibility measures that make them trivial to counteract.
Your tax dollars at work, folks.

The other talk was by the always-amazing Dan Kaminsky, carrying out --
yes -- even more tricks with DNS.  This time, Dan has found a way to
compile profiles on the nature, behaviour, and interaction of _all_ of
the world's DNS nameservers.  Yep, all of them.  A lot of information
has emerged from his raw data already, including the fact that a
perilously large nubmer of networks are at risk of cache poisoning on
account of _still_ relying on (and often forwarding queries to)
vulnerable BIND8 nameservers.

Relevant to that Sony BMG scandal -- in which, by the way, Sony have
released no fewer than _three_ "uninstall" kits that uniformly _do not_ 
install Sony's trojaning software -- Dan mentioned that he took the time
to test all of the world's nameservers, to find out how many had
"connected.sonymusic.com" in their DNS caches.  That hostname is
significant because Sony BMG's rootkit "phones in" to a machine using
that hostname.  Any DNS nameserver that already has that name in cache
is one that (to a close approximation) has had at least one
Sony-infected Windows machine querying it.

Anyhow, I'm proud of you folks -- you CABAL members and Cheryl, the sole
member of my household to operate an MS-Windows box.  Judging from a
quick check of my nameserver, _none_ of the Windows machines you've 
set up to query my nameserver has been Sony-crippled.  Which means none
of you was unwary enough to say "Yes" when a Sony-published audio CD, 
inserted into your Windows computer, asked to "upgrade" (or such) the
software on your computer.

Er, actually, I'm honestly not certain that Deirdre's DHCP server, the
Apple Airport Extreme in the living room, queries _my_ nameserver.  But 
that's what I checked:


$ dig connected.sonymusic.com @ns1.linuxmafia.com +norecurse

; <<>> DiG 9.3.1 <<>> connected.sonymusic.com @ns1.linuxmafia.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21691
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13

;connected.sonymusic.com.       IN      A

com.                    125260  IN      NS      E.GTLD-SERVERS.NET.
com.                    125260  IN      NS      F.GTLD-SERVERS.NET.
com.                    125260  IN      NS      G.GTLD-SERVERS.NET.
com.                    125260  IN      NS      H.GTLD-SERVERS.NET.
com.                    125260  IN      NS      I.GTLD-SERVERS.NET.
com.                    125260  IN      NS      J.GTLD-SERVERS.NET.
com.                    125260  IN      NS      K.GTLD-SERVERS.NET.
com.                    125260  IN      NS      L.GTLD-SERVERS.NET.
com.                    125260  IN      NS      M.GTLD-SERVERS.NET.
com.                    125260  IN      NS      A.GTLD-SERVERS.NET.
com.                    125260  IN      NS      B.GTLD-SERVERS.NET.
com.                    125260  IN      NS      C.GTLD-SERVERS.NET.
com.                    125260  IN      NS      D.GTLD-SERVERS.NET.

A.GTLD-SERVERS.NET.     67474   IN      A
A.GTLD-SERVERS.NET.     120462  IN      AAAA    2001:503:a83e::2:30
B.GTLD-SERVERS.NET.     67474   IN      A
B.GTLD-SERVERS.NET.     120462  IN      AAAA    2001:503:231d::2:30
C.GTLD-SERVERS.NET.     67474   IN      A
D.GTLD-SERVERS.NET.     67474   IN      A
E.GTLD-SERVERS.NET.     67474   IN      A
F.GTLD-SERVERS.NET.     67474   IN      A
G.GTLD-SERVERS.NET.     67474   IN      A
H.GTLD-SERVERS.NET.     67474   IN      A
I.GTLD-SERVERS.NET.     67474   IN      A
J.GTLD-SERVERS.NET.     67474   IN      A
K.GTLD-SERVERS.NET.     67474   IN      A

;; Query time: 48 msec
;; WHEN: Thu Dec  8 19:54:38 2005
;; MSG SIZE  rcvd: 497



For whatever it's worth, neither nor, the
main nameservers at my upstream bandwidth provider, Raw Bandwith
Communications, has that hostname in cache, either.

How many of the world's nameservers _do_ have that name in cache,
indicating that there are Sony-infected PCs next to them?  Around
460,000 nameservers, Dan says.  No kidding.

And, by the way, the _very best_ article on the Sony BMG scandal 
was Bruce Schneier's:  He asked:  How is it possible that the anti-virus
vendors completely missed Sony BMG's compromise and rootkitting of
millions of Windows machines?

The answer, of course is:  They _didn't_ miss it.  But they made an
apparently conscious decision to "forget" to alert their customers.
(Honorable exceptions:  ClamAV and F-Secure -- everyone else's hands
were dirty, to my knowledge.)

Next time you're told you need to install anti-virus software to protect
your Windows box, remember whom those companies work for.  It simply
ain't you.


That went straight onto my "virus rants" pages, when I heard about
_that_ bit of infamy.

More information about the conspire mailing list