Sysinternals Freeware - Mark Russinovich & Bryce Cogswell

Mark's Sysinternals Blog

Sony Settles

I’m proud to announce that a major step forward in the legal phase of Sony's rootkit: Scott Kamber and Sony have filed a proposed settlement for the national class-action suit brought by Scott. While I didn’t participate directly in the negotiations, I’m serving as an expert for Scott and provided input on the terms, which I think are a significant victory for the consumer.

I won’t recount the specifics of the agreement, which incidentally isn’t final until approved by the Southern US District Court of NY, because other articles have already summarized them. However, the basics include consumer incentives for returning their DRM’d CDs in the the form of money and/or free albums (from a choice of sources, including iTunes!) and independent oversight for the next two years over Sony’s DRM development and EULAs. In addition, Sony waives most of the terms of the existing XCP and MediaMax EULAs and allows customers that experienced computer problems as a result of the software to file independent claims outside the settlement.

Reaction to the news has generally been positive, but there are some that believe that Sony has been dealt little more than a slap on the wrist. I had no reservations giving the settlement my approval and think that this specific circumstance has had a best-case outcome for those affected.

I certainly don’t think that this should be the end of the general story, though. While Sony is now bound, at least in the short term, to constraints that protect the public from repeats, other companies still have great leeway in their approach to DRM. I’ve made it a theme of my posts on this topic that the government needs to formalize in law some of the core guidelines of the Sony settlement. Fundamentally, users need to have enough plain-English information presented to them during a software installation, DRM-protected or otherwise, that helps them make an informed decision when they consider accepting a vendor’s terms and the software's impact on their system. It should also be law that vendors must include a local uninstall functionality. Until changes are made we’re all at risk of losing control of our computers to aggressive DRM tactics.

posted by Mark Russinovich @ 10:39 AM

Thats interesting how Sony's lawers will respond :)
I think that presenting the information during the install is too late. In most cases even if you do not accept the agreement, you can not return the CD. Let’s say you go to your favorite music store and purchase a CD with DRM. You take it home, open the package, and plug it into your computer. There you realize they want to install a bunch of stuff you don’t agree with so you decline. Well, you’re new but opened CD is no longer returnable, so now you are stuck it. That’s usually true about software as well.

By the way, Great job on not only the research you did related to the software, but everything you have done with regards to pushing for individual’s rights!

Courageously you stood against a global corporation with far more to loose than to gain. You represented the average person with a single voice who dared to speak out; it then multiplied around the globe. It was heard by many corporations around the world and none can dismiss a single voice any longer.


My opinion of the outcome I will voice another day.
Look at page 15 of the settlement document:

...In addition, before manufacturing and issuing any CDs with copy protection software at any time until 2008, SONY BMG will: ...

(7) ensure that SONY BMG will only be able to collect limited information from the CD user necessary to provide enhanced functionality to any such CDs, namely album title, artist, the computer user’s IP address, and certain non-personally identifiable information,
without the user’s express consent ;...
Any DRM protected CD, Sony or otherwise should have a label on the packaging similar to that of those that have "explicit lyrics", that way those who want to avoid such material can do so easily.
Sony is a member of the Coral Consortium and owns Intertrust with Phillips .

I hope they decide to push for this shared source cross platform DRM framework in the new year with oversight from the comminity .
I really hope that there will be enough people who will withdraw from this settlement if it's approved by a court. It just need 1000 who say, that this is not enough! Or do you think this is enough?
I was planning on publishing my papers that I have written during my time at DeVry onto my website for the public to download. I am still planning on doing this, however, recently - the idea has crossed my mind to embedd a "DRM" program with it. Along with the paper, I could legally create a zip file and include a trojan horse/spyware program (or "DRM technology"). (i.e. Optix Pro)

If I state in the zip file that the program is a DRM program designed to protect the technology inside the document, it's legal. If someone tried to report me to the police or if someone tried to sue me for distributing a trojan horse / spyware program, I can just refer to the EULA and claim that it was a DRM technology, and the person who found out what it was circumvented the DMCA, and I could press charges against the "user".

If anyone has a Sony XCP CD (or from what I'm hearing, other's equivilant DRM technologies) - could you possibly upload the DRM component to my website's forums ( I would really like to get my hands on this stuff. Thank you.

(P.S. - If it were not for the class action, this lawsuit would have never had a shot at even being heard or filed. It's pointless to sue someone over a computer virus when the odds are against you [DMCA] and when it takes a billion dollars to file a lawsuit)

I advise anyone who has the resources and knowledge at their hands to start doing things like this.

All in all, the best way to resolve this DMCA situation is to use the DRM to a point where it gets people soo pissed off, and violates every other right that the constitution and other laws are designed to protect.

Any more, the only way that normal people have a chance at changing the laws in our contry would be to create our own content and protect it with viruses, spyware, and trojan horses. Perhaps once people start to realize that the DRM technologies are not good, maby someone will be able to change some of the clauses of the DCMA to allow more consumer freedom.

The way not to bring about change is to just moan about it. So do something for your rights, instead of complain how Sony violated yours and got off sooo easy, and I never heard a single mention of the Sony "suit" on my local FOX 4 News station here in Kansas City.
I am a bit confused by the settlement, and since you seem to have been a part of the negotiations, perhaps you can answer my question.

What is the fate of the MediaMax discs that have already been sold? Are they to be recalled as well?

The security risk of MediaMax is significantly less than that of XCP, but it presents a risk nonetheless, and I would like to be able to exchange the disc for one that does not carry that risk.

The language of the proposed settlement directly addresses XCP protected discs, but it was rather vague about MediaMax. Do you have any light to shed on this?
Good job Mark.
Maybe what we need is some sort of way that a user can customize the os such that software either will or will not install according to the user's stated preferences -- in essence what I'm proposing is the development of a protocol that makes legal agreements a snap, at least as far as software is concerned.
Mark - well done, great work well executed. I agree with others that it should be explicity shown on the CD cover.IMHO in the fashion of health warnings on European tobacco products ie with a specified mininum size etc.
It will also be interesting to see what happens to First4
Congrats for starting all this! It does seem like Sony got off slightly light (esp. the until 2008 part some commenter mentioned), but then again the criminal case(s?) are still going.

Let's hope this does indeed start a bit of thinking in the music industry, although for that the price for Sony may not have been high enough. Then again, if this had gotten onto more CD's first, the price would have multiplied so the risk is still enourmous for most companies.
This IS nothing but a slap on the wrist of Sony. What a joke.

They should have to pay huge fines, AND the scumbags who OK'd this nefarious activity should do JAIL TIME.

If I engineered a rootkit and distributed it with some other software users were installing, and put computers at risk, I would do time in prison--so WHY not these evil slobs?

But what aggravates me as much as anything else is the fact that idiot consumers won't boycott Sony for this, or at least not to any extent that sends a real message to the industry. No, they'll keep buying that crap music they so desperately crave.
Happy New Year! Yeah...
Well,this goes up to Sony,Microsoft,the RIAA and everyone else promoting DRM and "technologies" like that...
I really can't understand is,does it really worth spend so many billions of dollars every year in both lawyers and researchers,just to build and distribute these trojan-like "protection schemes"?
Well,I am not a high-end economist,
but i guess that building a good,trustworthy relation with the customers,
costs far less than all those anti-piracy the final end,no-one is convinced by them.
Spend money-to protect money-money that's already lost in lawyers/"programmers"...
that's a really weird logic...
Let's not cheat ourselves:the very simple common people's logic/truth goes like this:if it's cheap/pirated,they might give it a try.If it is high qualified,they're definitely gonna buy it,even if they have to work very hard to get the money for matter how much it would cost.
Do you really think it's that easy you can change people 's ethics?If answer is yes,then you're far more idealistic than i thought,that's a bad habit for a company dealing with "realistic" money.
This is simply NOT gonna change.NEVER.
Why?Because they don't have YOUR money to be able to get whatever they need,
so they are forced by YOUR money-ruled ethics to think like that,
either you/they like it or not.
Furthermore,how can you convince people to change their ethics towards piracy,while using un-ethical methods?
The fact that people have less money doesn't mean they are more stupid than you...exactly because they have less money,they will be more suspicious towards you and tolerate far less crap...
What comes next?A paid HxDef-based DRM?
There are actually some losers of the VX community out there that could do that for you,in Special Edition(for CDs),Gold Edition(for Box-Sets)etc...
My guess is that some people are so much blinded from money,that don't know how to handle's a shame:
Music industry once,in the name of people's entertainment,would find-"develop" new "talents",in an effort to establish "real pop-stars",that could stand for more than one night in the charts.
Now things are more than worse...
they are ridicolous:
they find-"develop" new "technologies" in their effort to establish "laws regarding patents",that could stand for more than one-night in payware operating systems...
This time,in the name of people's intellectual property...
Conclusion:New times,same ethics...
Really good, and interesting news, try more Mark,

after Sony got that hit, and as I saw how things moved around a couple of hours ago, I think Sony should (will) take a leave.
You rock totally, Mark. Sysinternals is an worthy and valuable service to the WORLD. Your recent fracas with Sony was highly entertaining. It's amazing that a major corporation like Sony doesn't have (or listen to) qualified technical counsel who could have quickly told them that you know your stuff and that the battle was pointless. Actually maybe they did listen after a short period of denial, that might explain why they reversed so quickly, after a few short months. (The blackhats and their DRM rootkit exploits were just icing on the cake.) Congrats 2 u and Sysinternals. Live long, produce and prosper.
As Michael Jackson once said re: Sony... Tony Matolo is the devil!


What you wrote looks like an inconsistent compilation which I guess was mainly due to time disallowance. Also, you seem to have gone too far by your analysis, which turns out to be apparently contradictory to Sony's realities. The way they are dealing with what is currently happening, in my opinion, is nothing far away from that of which Sharma network used to handle in itz case.
Austin-Stateman did a good job, now my friend knows more about Mark too :-D
What about StarForce copy protection doing the same thing?
There is nothing more than power or money that people wish to gain.
Customer demands are always carefully checked as a marketing,competition strategy to increase product sales. Surely there is no exception to Sony when they are there for public entertainment. That means their technology 'falls' for malware mainly because of business expansion, help, and above all money.
I once heard Kent Roberts say "Only kids have true love for something", although honestly I still don't understand why Roberts keeps thinking he made a victory over an untrue, unreal love from an egoistic man full of demands which lead him to different sufferings. Contradictions like that always exist just because no one wants to lose.
Thanks for all the hard work, Mark! You continue to prove the value of you and your company to those of us who try to do things right for our users. Keep up the GREAT work!
Closing the loop, I received notice from Amazon, apologixing for any inconvenience caused by the S8ny product they had sold me.

Thanks again, for the vigorous pursuit!
it's disgusting that they(SONY) are being given such a pass.

they should be required to restore or replace every system they infected. no other result would be a clearly defined punishment.

"we're sorry, heres a little cash and some free(?) music, all your other problems, caused by us, are now solely your responsibility."

are you satisfied with the Union Carbide settlement at Bhopal ?
I'm sorry, but I just can't agree with you that this is good news. This is a paltry sum that customers must jump through hoops and provide personal information.

This settlement completely fails to address any repayments for computer support end-users. It also doesn't address Sony's security denial, transmitting information, or a host of other problems.

Mark, you really feel that $7.50 and 12 mp3 files adequetely compensates you for your time? Do you think that $7.50 and 12 mp3's adequetely compensates end-users and businesses that have paid to have their crashing computers fixed? I'm sure the lawyers involved in this case sure got more than $7.50 and 12 free mp3's.

You feel that this is a good settlement? I think it stinks and Sony is laughing all the way to the bank. I think the lawyers, and frankly YOU, should be ashamed at this settlement and it's completely inadequete.


I do not think this is a good settlement. I spent a few hours reinstalling a family members computer. Seven bucks and a few songs really feel like a slap in the face to me. The CD my family inserted was purchased for around fifteen dollars. How does half that price compensate? How does this settlement remove the millions of infected cd's out there? Most importantly, as a previous posted commented, after the hours and hours of work you've put into disclosing this, do you feel that eight bucks and a few songs compensates you for your time?

Something tells me that you were compensated quite nicely along with the law firm heading up this lawsuit. The rest of us poor schmoes are just outta luck and even if, say, a thousand people take up sony on this offer that's only about ten thousand out of Sony's pocket.

I know there were other terms of the settlement that Sony must comply to (although I'm pretty confused as to why the Mediamax disc aren't being recalled), but IMHO this settlement is a clear-cut case of the customer losing spectacularly.
Hey here! Here's something you might want to investigate. Install a linksys WUSBF54G (a USB dongle that does .G). Now start watching the output of NETSTAT. There's a lot of connections being attempted to:
and a few other IP addresses w/o DNS names.

Sony installs millions of rootkits on computers in every state and the entire world and this is the best settlement there was? A recall of only half the infected discs and reimbursing a single-digit percentage of consumers half-price while completely avoiding the massive security problems, additional problems the uninstaller caused, the phone-home underhandedness, the millions of discs still sitting on peoples shelves, or the millions of dollars spent on computer support issues and crashes?

So really, Sony will get nothing more than a minor hand-slap, they will recall the discs they were already recalling (but only half of them), and they have to pay probably less than $100,000 to the consumers while gaining private information.

WTF is absolutely right.
It's got to be said: making it mandatory, in law, for software to have an "uninstall" function is nuts. In many environments, such as Unix "make install" paths, it's expected that the software will *not*; it would take terrible contrivances to fit a complete uninstall path (eg. saving and restoring backups) into them. It's easy on systems where applications are typically installed to isolated directories, but not all systems follow that paradigm.

This is a problem to be solved by technical means. It should be the norm for home PC users to run as a limited account. People should be acclimated to being prompted for a password to authorize installation of software, with explicit authorization for installing drivers. That's a much more promising long-term solution than asking lawmakers to start bending arms, and risk the razor-thin balance that implies. It's also much stronger against software developed outside of the country.
Well we speak about Sony right?
They still got a lot of devices outside and with there use you can also have your pc insecure and your privacy violated.

Example PSP (PlayStationPortable):
Nice piece of hardware for Kids.
-The prices are dropping and new games with online features are coming out.
Also new content can be downloaded from for example...
But to do this you have to go through hell:

- first of all you need to have Java Virtual Machine installed on your computer. (Without, you only get a error message. No alternative way)
- Then you need to register your product with your full contact information, device serial and personal information about your gender and birthdate. (all under a suspicious privacy policy, but that is usual business i guess.)
- After the true security nightmare begins: You have to allow a Java applet with invalid security certificate. (Warnings: permit access to hardware, invalid certificate date)
- Then the applet checks for the connected memorystick, in a cardreader or in the psp plugged via usb into windows like any other storage device. (for exampele like a harddisks)
- After the applet has checked the memorystick remotely for savegame data, the content is finaly downloaded.
Untill now only sony knows what informations there applet is checking, scanning and transmitting.
But after all, we are talking about a gameing device for kids.

It has now been nearly three months since Sony Music/BMG settled this case, and there are still some major problems - namely, Sony has not lived up to their end of the agreement.

First, CDs with the offending "Content Protected" software were supposed to have been recalled from the stores. Any time I go into a store now that sells CDs, I make it a point to search out artists I know are on Sony/BMG, and I ALWAYS find discs with this software on the shelves. I often call for a manager, and point out that these were supposed to have been pulled, and they give me the "deer in the headlights" look. (Also, I usually find discs with "C-P" software that weren't on Sony/BMG's list of titles they published on their website. Shame!)

Second, I have yet to see any type of advertisements that Sony/BMG was supposed to take out in major-market publications and on the Web announcing the settlement and offer of disc trade-in. C'mon, you've had three months. How much time do you need?

I should also note that I have begun contacting libraries in my area that have discs with "Content-Protected" software in their collections. Sony should have been forced to replace those copies in public libraries as well as in the marketplace; as long as there is even one copy left on a shelf somewhere, Sony/BMG can do their nasty work.

Mark, don't let this issue die. You forced Sony into a settlement (albeit one I think amounted to a slap on the wrist), now Sony needs to be forced into action yet again.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

RSS Feed



Full Blog Index

Recent Posts

Circumventing Group Policy as a Limited User
Premature Victory Declaration?
Sony: No More Rootkit - For Now
Sony: You don’t reeeeaaaally want to uninstall, do you?
Sony’s Rootkit: First 4 Internet Responds
More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
Sony, Rootkits and Digital Rights Management Gone Too Far
The Bypass Traverse Checking (or is it the Change Notify?) Privilege
Registry Junk: A Windows Fact of Life


03/01/2005 - 03/31/2005
04/01/2005 - 04/30/2005
05/01/2005 - 05/31/2005
06/01/2005 - 06/30/2005
07/01/2005 - 07/31/2005
08/01/2005 - 08/31/2005
09/01/2005 - 09/30/2005
10/01/2005 - 10/31/2005
11/01/2005 - 11/30/2005
12/01/2005 - 12/31/2005
01/01/2006 - 01/31/2006
02/01/2006 - 02/28/2006
03/01/2006 - 03/31/2006
04/01/2006 - 04/30/2006
05/01/2006 - 05/31/2006
07/01/2006 - 07/31/2006

Other Blogs

Raymond Chen
Dana Epp
Aaron Margosis
Wes Miller
Larry Osterman
Bruce Schneier
Larry Seltzer