Ed Felton's Analysis of Whether Sony Violated the Computer Fraud and Abuse Act

Ed Felton (not a lawyer) provides his analysis of whether Sony violated the Computer Fraud and Abuse Act by including DRM rootkits on some of their CDs. Interesting analysis and worthy of a read.

Spearphishing--Targeted Phishing

CNET covers a somewhat new phenomenon called "Spear Phishing." The article contains an account of victims who were very specifically targeted by phishers and the discovery of the technique by the Israeli police.

Good reading.

How Much Worse Can This Get?

Mark Russinovich, the guy who originally broke the Sony Rootkit story on his Blog, has continued to follow this issue. He has added a post to his blog that describes how, in detail, the Sony player software "phones home" to Sony. Summarizing his post doesn't do it justice, so I've snipped heavily. Please take a minute to read on:

>snip<

The EULA also makes no reference to any “phone home” behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior.

* * *

I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID:



In response the Sony web site reports the last time a particular file was updated:



I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it.

>snip

Timeline of Sony's Embarrassment

Boing Boing put together this great timeline of the Sony Rootkit debacle. Read it here.

Sony's Pitard?

If a post on this web site is correct, then Sony may have some copyright problems of its own. This site claims that portions of the rootkit code Sony distributed on some of its CDs contains code that is licensed under the LGPL (the Lesser GNU Public License). The code allegedly comes from LAME (Lame Ain't an MP3 Encoder), an Open Source MP3 encoder.

This quote sums up the problems Sony may have under the LGPL, if the Web site's claims are valid:

"According to [the LGPL] license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software."

Anyone want to start a pool with guesses on how long it takes for someone to sue Sony under the terms of the Lesser GNU Public License? I'm thinking of the suits in Germany earlier this year....

By the way, you can read the LGPL here on the GNU Web site.

[I read it first on BoingBoing]

Stewart Baker's (Hint Hint) Message for Sony

The Washington Post has a captured webcast stream of comments by Stewart Baker on what must clearly be Sony's recent DRM measures:

"It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

Stewart Baker was recently appointed by Bush to be the Department of Homeland Security's assistant secretary for policy.

You can view the Webcast here.

Background on the Sony DRM Rootkit

Class Action Suit Filed Against Sony for Rootkit-based DRM on CDs

Consumers in California filed a class action against Sony based upon the rootkit-based Digital Rights Management technology that Sony has included on several CDs they released. The complaint alleges that Sony did not disclose enough information about the DRM on the CD.

Run a Google search for stories about the lawsuits.

You can review of a copy of the Complaint here.

Anti-virus company Sophos has detected an exploit that is using the Sony DRM software to hide its tracks.

Mark Russinovich has a detailed explanation on his blog of how the Sony DRM works and why people are claiming that it is a rootkit. I STRONGLY recommend reading before discussing these issues.

You can read a copy of the EULA for Sony's CDs with the Rootkit DRM here.

Seminar Materials

On 6 October 2005, Damien Riehl and Michael McGuire presented a continuing legal education seminar on the subject of Malware. This blog hosts the seminar materials, the powerpoint slides, and links to some of the sources referenced during the presentation.

Seminar Materials

Powerpoint Presentation

Examples of Phishing Attacks

The Anti-Phishing Working Group maintains an archive of past phisihing attacks, with details about the attacks, including samples of the email messages.

This entry shows an attack against US Bank.

Example of a Spoofed Hyperlink

This looks like a link to our blog at malwarecle.blogspot.com .