How Much Worse Can This Get?
Mark Russinovich, the guy who originally broke the Sony Rootkit story on his Blog, has continued to follow this issue. He has added a post to his blog that describes how, in detail, the Sony player software "phones home" to Sony. Summarizing his post doesn't do it justice, so I've snipped heavily. Please take a minute to read on:
>snip<
The EULA also makes no reference to any “phone home” behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior.
* * *
I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID:
In response the Sony web site reports the last time a particular file was updated:
I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it.
>snip
>snip<
The EULA also makes no reference to any “phone home” behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior.
* * *
I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID:
In response the Sony web site reports the last time a particular file was updated:
I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it.
>snip
posted by Michael McGuire at 7:05 PM
0 Comments:
Post a Comment
<< Home