[conspire] No Sony DRM around here; I'm proud of you

Rick Moen rick at linuxmafia.com
Sun Dec 11 21:31:26 PST 2005 

Quoting Peter Knaggs (peter.knaggs at gmail.com):

> Ahh, so that might explain the recent update
> from Microsoft, which asks the user to reply
> yes or no to the following curious question:
> 
>   Do you want to install the
>   Microsoft Malicious Program Removal Tool
> 
> Hard to know what context "Malicious" is being
> used in, these days...
> 
> Still, as long as you remember that Microsoft's
> real customers are the big Media companies, and
> not us "consumers" it's fairly clear: It's simply
> a Program Removal Tool from the newly-created
> branch of Microsoft, "Microsoft Malicious" :)

(Apparently, "Malicious Program Removal Tool" is from MSFT's 2003-06
acquisition of GeCAD Software:
http://www.microsoft.com/presspass/press/2003/jun03/06-10GeCadPR.mspx )

Yes, one does wonder whether some of what these firms consider
"malicious" isn't subject to redefinition as corporate needs dictate.
They might, with their next update, decide that Kazaa and eMule are
brimming with malice, for example.  ;->

It occurs to me that, for those running proprietary (and especially
binary-only proprietary) software, including on Linux, one possible
"canary" for Sony-type misbehaviour is to perform the ritual that we
free-software people typically do, and that the "desktop" crowd does
not:

Read those goddamned licences.  No, really:  _Read_ them.

When companies like Sony BMG set out to screw their customers through
technological measures, their lawyers will generally insist that they
finagle some liability shield for misdeeds they would be most likely to
be sued over -- which will, of course, be typically right there in the
licence agreement.

Companies count on you _not_ reading licences ("EULAs" and such), and do
nothing to make it natural or easy, e.g., tiny viewing windows, no
easy provision to save a copy for later, etc.  You're hustled towards
the "I agree" button -- at your peril.  

People who bothered to read the Sony BMG EULA would have seen very clear
advance warning of the worst of their misbehaviour -- though one must
make sure one's paranoia filter is enabled:

   ...this CD will automatically install a small proprietary software
   program...

The language goes on to give you ersatz reassurances about what the
program will _not_ do:

   the software will not be used at any time to collect any personal 
   information from you, whether stored on your computer or otherwise

That's like saying "You authorise the application of this nightstick to 
parts of your body.  At no time will the nightstick pick your pocket."

   You expressly acknowledge and agree that you are installing and using
   the licensed materials at your own sole risk. 

Ah, so it doesn't matter what their stuff does; they're claiming to duck
all responsibility.  The phrase "at your own sole risk" should always
set off alarm bells, whether you hear it from a strange yet high-privilege
software package's licence or from a used-car dealer.

   The software is intended to protect the audio files embodied on the
   CD, and it may also facilitate your use of the digital content.

This should, again, trigger suspicion:  "Protect" against what?  And 
why should your listening to an ordinary CD digital audio file be
"facilitated" by a "small proprietary software program"?  That doesn't 
make sense at all.

Of course, they mean "protecting" the music against _you_, by screwing
around with your computer and wrestling control over it from you.

There are lots of other crazy provisions, e.g.

  the term of this EULA shall terminate immediately, without notice
  [...] in the event that you [file bankruptcy or similar]

The EULA never details precisely what they're going to do to you, but
the liability disclaimer should be sufficient warning that they want the
litigation decks clear for it possibly meaning "Any damned thing we want."


Anyhow, much fun like that can expect to be found in licences in
software _not just_ issued by the music and motion picture industries,
but _also_ in software firms suborned by them.  As Schneier pointed out, 
nearly all of the major security-alert and antivirus firms' hands were
provably dirty in this case.  It is known, in fact, that for three weeks 
immediately following the Sony BMG story's becoming public, many of
those firms were in long meetings with Sony executives, presumably
working out their game plan.

ClamAV was an honourable exception.  So was Finnish AV firm F-Secure:
http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm


Mind you, I don't think Sony BMG planned in detail to screw up people's
computers.  More likely, they just outsourced the "piracy problem" to UK
firm First4Internet, and then had little idea what exactly they did in
Sony's name.


Another interesting question is:  What _other_ business interests have
suborned most of the major security and antivirus firms?  For starters,
there are all the _other_ copyright barons behind the RIAA and MPAA.
What sort of PC security disasters are _they_ already carrying out on
millions of unsuspecting citizens?

Also, I'd be incredibly wary of the major _gaming_ firms:  Considering
the intolerable actions carried out by, for example, Blizard
Entertainment (makers of World of Warcraft, StarCraft, etc.) to sue out
of existence volunteers at the former "battle.net" domain who wrote an
_independent, from-scratch_ daemon compatible with their Warcraft game
software -- using, naturally, DMCA thuggery.

Given that level of scruple, and their famous liking for copy prevention
(er, "protection") software sabotage, what _other_ sorts of system
trojaning are they likely to hide in their binaries?  At minimum, keep
reading those EULAs:  If there are odd rights they're asserting, you
should wonder why.

Me, I would not let a Blizzard Entertainment product -- or any of its
untrustworthy competitors, near any of my machines.  (Blizzard products
are not welcome in my house at all.)


Along the same lines, if someone asks you to run an unknown binary with
system privilege, with no ability to inspect, you should wonder why.

   http://www.packetstormsecurity.org/distributed/index2.html

   File Name:	find_ddos_v42_linux.tar.Z

   Description: Find_ddos v4.2 (linux) - The NIPC has developed a 
   tool to assist in combating ddos agents. The tool scans a local 
   system that is either known or suspected to contain a DDOS program. 
   The tool will detect several known denial-of-service attack tools 
   including tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, 
   tfn daemon, tfn client, stacheldraht master, stacheldraht client, 
   stachelddraht demon and tfn-rush client. Solaris version also available.

Who's NIPC, you might ask?  Oh, that is or was the National
Infrastructure Protection Center, founded as an FBI agency under Carter
and apparently now gradually being engulfed by other parts of Department
of Homeland Security.  (The www.nipc.gov Web site is gone, for example.)

When NIPC published that "find_ddos_v42_linux.tar.Z" tool in 2001, and
made it available only as a statically-linked, stripped, i386 Linux ELF
binary, I sent them a polite "Are you kidding?" mail -- pointing out
that they were asking Linux users to engage in one of the bad habit
that would tend to get their sites compromised in the first place, and
that nobody was going to take them serious until, at minimum, they
released the matching C code and build instructions.  They never
replied.

Quoting the README (on a copy found at
http://remoteassessment.com/darchive/190989699.html):

   The tool will detect several known denial-of-service attack tools by
   looking at all 32-bit ELF format files in a given directory tree, 
   and comparing the files' strings and symbol table against a set 
   of known "fingerprints" for TFN and trinoo tools.  [...]  
   The tool must be run as root.

In other words, it professed to be a pattern-matching thing like most
mailware checkers.  But what amuses me in retrospect is up at the top:

   This material and tool is furnished on an "as is" basis. 

Sound familiar?  This is pretty much the same as "at your sole risk".

Mind you, I'm not saying _all_ such warranty disclaimers are evil.  I'm
saying that a blanket disclaimer _combined_ with unauditable binary code
that you're asked to run _privileged_ should make you raise your
eyebrows -- and say no.

(Rob Rosenberger at http://vmyths.com/resource.cfm?id=26&page=1 has more
unflattering things to say about NIPC, including their tendency towards
empty publicity-seeking and reprinting other security researchers work
without credit.)

More information about the conspire mailing list