Fwd: EFFector 18.39: Are You Infected with Sony-BMG's Rootkit?

Nov. 11, 2005

Type: discussion

Begin forwarded message:
>
>
> EFFector Vol. 18, No. 39 November 11, 2005 [email protected]
>
> A Publication of the Electronic Frontier Foundation
> ISSN 1062-9424
>
> In the 355th Issue of EFFector:
>
> * Are You Infected with Sony-BMG's Rootkit?
> * Sony-BMG Rootkit: EFF Collecting Stories, Considering
> Litigation
> * News Website Can Keep Domain Name After Trademark Fight
> * PATRIOT Alert: A Battle Won, but Urgent Action Still
> Needed
> * Passing the Buck: or, the Printer as a Fine French Wine
> * Anti-Cell Phone Tracking Judicial Revolution Spreads to
> NYC
> * Non-Profit Coalition Wins Challenge to Federal Watch-List
> Policy
> * miniLinks (9): DRM This, Sony!
> * Administrivia
>
> For more information on EFF activities & alerts:
> <http://www.eff.org/>
>
> Make a donation and become an EFF member today!
> <https://secure.eff.org/support>
>
> Tell a friend about EFF:
> <http://action.eff.org/site/Ecard?ecard_id61>
>
> : . : . : . : . : . : . : . : . : . : . : . : . : . : . :
>
> * Are You Infected with Sony-BMG's Rootkit?
>
> EFF Confirms Secret Software on 19 CDs
>
> San Francisco - News that some Sony-BMG music CDs install
> secret rootkit software on their owners' computers has
> shocked and angered thousands of music fans in recent days.
> Among the cause for concern is Sony's refusal to publicly
> list which CDs contain the infectious software and to
> provide a way for music fans to remove it. Now, the
> Electronic Frontier Foundation (EFF) has confirmed that the
> stealth program is deployed on at least 19 CDs in a variety
> of genres.
>
> The software, created by First 4 Internet and known as
> XCP2, ostensibly "protects" the music from illegal copying.
> But in fact, it blocks a number of legal uses–like
> listening to songs on your iPod. The software also
> reportedly slows down your computer and makes it more
> susceptible to crashes and third-party attacks. And since
> the program is designed to hide itself, users may have
> trouble diagnosing the problem.
>
> "Entertainment companies often complain that fans refuse to
> respect their intellectual property rights. Yet tools like
> this refuse to respect our own personal property rights,"
> said EFF staff attorney Jason Schultz. "Sony's tactics here
> are hypocritical, in addition to being a security threat."
>
> If you listened to a CD with the XCP software on your
> Windows PC, your computer is likely already infected. An
> EFF investigation confirmed XCP software on 19 titles, but
> it's far from a complete list. Sony-BMG continues to refuse
> to make such a list available to consumers.
>
> Consumers can spot CDs with XCP by inspecting a CD closely,
> checking the left transparent spine on the front of the
> case for a label that says "CONTENT PROTECTED." The back of
> these CDs also mention XCP in fine print. You can find
> pictures of these and other telltale labeling at
> <http://www.eff.org/IP/DRM/Sony-BMG/> .
>
> "Music fans should protect themselves from this stealth
> attack on their computer system," said EFF Senior Staff
> Attorney Fred von Lohmann.
>
> For EFF's list of CDs with XCP:
> <http://www.eff.org/deeplinks/archives/004144.php>
>
> The "legalese rootkit" - Sony-BMG's EULA:
> <http://www.eff.org/deeplinks/archives/004145.php>
>
> For this release:
> <http://www.eff.org/news/archives/2005_11.php#004146>
>
> : . : . : . : . : . : . : . : . : . : . : . : . : . : . :
>
> * Sony-BMG Rootkit: EFF Collecting Stories, Considering
> Litigation
>
> EFF is collecting stories from EFF members and supporters who
> have purchased Sony-BMG CDs that contained the rootkit copy
> protection software. We're considering whether the effect on
> the public, or on EFF members, is sufficiently serious to
> merit EFF filing a lawsuit.
>
> If you satisfy the following criteria, we would like to hear
> from you:
>
> 1. You have a Windows computer;
> 2. First 4 Internet's XCP copy protection has been installed
> on your computer from a Sony CD (for more details, see our
> blog post referenced above or the SysInternals blog,
> http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-
> digital-rights.html);
> 3. You reside in either California or New York; and
> 4. You are willing to participate in litigation.
>
> We have not made a final decision about filing any legal
> action, but we would like to hear from music fans who have
> been harmed by the Sony-BMG rootkit copy protection
> technology. Please contact [email protected] for more
> information.
>
> : . : . : . : . : . : . : . : . : . : . : . : . : . : . :
>
> * News Website Can Keep Domain Name After Trademark Fight
>
> AcompliaReport.com Settles Fair Use Dispute with Drug
> Company
>
> San Francisco - A medical news website, with the assistance
> of the Electronic Frontier Foundation (EFF), settled a
> dispute with a French pharmaceutical giant over using the
> name of a trademarked medication, Acomplia.
>
> The settlement came after EFF filed suit on behalf of the
> AcompliaReport.com, an independent online newsletter
> devoted to reporting about a drug called Acomplia.
> Acomplia may help consumers lose weight and quit smoking,
> but is not yet approved by the US Food and Drug
> Administration (FDA). Since March 2004, AcompliaReport.com
> has published original news and commentary about Acomplia's
> clinical trials, the drug approval process, and
> anti-obesity drugs in general–all aimed at helping
> consumers make more informed decisions about their health.
>
> To emphasize the newsletter's impartiality, every page has
> always included the subheading "your independent source of
> news and reviews about the new diet drug Acomplia."
> Nevertheless, drug maker Sanofi-Aventis claimed that the
> use of the term "Acomplia" in the AcompliaReport domain
> name created a "risk of confusion." Sanofi asked an
> international arbitrator to order the domain name
> transferred, alleging that the publisher of the
> AcompliaReport, Milton R. Benjamin, was a cybersquatter.
> Benjamin promptly sought a declaration from a U.S. district
> court protecting his right to the domain name, claiming
> both fair use and First Amendment rights to the name as an
> online publisher.
>
> "Sanofi's tactics threatened to quash free and accurate
> speech," said EFF staff attorney Corynne McSherry. "The
> website uses the Acomplia mark solely to refer to Sanofi's
> product. That use is a textbook fair use. And basic First
> Amendment principles barred Sanofi from using trademark law
> to shut down an independent news site."
>
> Under terms of Tuesday's settlement, AcompliaReport.com
> keeps its domain name, as long as there is a disclaimer
> stating that the website is not associated with
> Sanofi-Aventis.
>
> "We are happy to have this absurd dispute behind us,
> enabling us to focus on independent coverage of the
> regulatory process and further development of a novel drug
> that appears to have the potential to be of considerable
> benefit to many people," said Benjamin. "A news site needs
> to be able to use a trademarked name in order to report on
> a trademarked product."
>
> For this release:
> <http://www.eff.org/news/archives/2005_11.php#004143>
>
> : . : . : . : . : . : . : . : . : . : . : . : . : . : . :
>
> * PATRIOT Alert: A Battle Won, but Urgent Action Still Needed
>
> Over the next few days, select members of the US House and
> Senate will be haggling in conference over the wording of a
> new bill to renew the USA PATRIOT Act.
>
> Thanks in part to your calls and lobbying, the House of
> Representatives has already instructed its conferees to
> attach shorter four year "sunset" provisions to some of the
> act's more outrageous surveillance powers. But there are
> plenty more checks and balances that still need to be added.
>
> That's why we're asking everyone to call your Representative
> and Senators and urge them to tell the conference members to
> support the Senate version of the bill, which contains new
> safeguards lacking in the House version.
>
> Now is your last best chance to influence the debate over
> PATRIOT before the renewal bill reaches the President's desk.
> Find out the phone numbers of your Representative and
> Senators by clicking below. You'll find more information on
> the PATRIOT bill and a suggested phone script for you to use.
>
> Don't hesitate – call today!
>
> <https://action.eff.org/site/Advocacy?alertId7&pg=makeACall>
>
> : . : . : . : . : . : . : . : . : . : . : . : . : . : . :
>
> * Passing the Buck: or, the Printer as a Fine French Wine
>
> Xerox responded to our research on how printers made by Xerox
> and other companies track the origin of documents you print.
> Its new "Xerox Statement on Counterfeit Detection" contains
> some bizarre suggestions. The most prominent of these is that
> Xerox's invasions of privacy are OK because other privacy
> invasions are worse.
>
> "Unlike much of the computer spy-ware prevalent on the
> internet today, the yellow dots do not 'contact' Xerox or the
> government and send user content or location," the statement
> reads. "In a world where your cell phone gives your
> location, all your phone calls are logged and available on
> the net, your credit card transactions compiled and your
> network browsing stored, the 'yellow dots' are innocuous and
> they give considerable protection against specific criminal
> behavior, such as counterfeiting."
>
> That's right: Xerox defends its decision because it's not as
> big an intrusion as spyware, wiretapping, or spying on you
> through your cell phone. It's the everybody-else-is-doing-it
> excuse. The company seems to be channelling Sun CEO Scott
> McNealy, who told a group of journalists in 1999 that "[y]ou
> have zero privacy anyway. Get over it."
>
> EFF and other privacy advocates have been fighting for years
> to reverse the trends Xerox mentions, or to enhance the tools
> available to the public for defending themselves. This month,
> we won major victories as courts, agreeing with our legal
> arguments, restricted the government's ability to use cell
> phones to track individuals' movements. We also fought for
> the public's right to use encryption to send private e-mail
> and make private telephone calls, and we supported the
> development of Tor to help users browse the Internet without
> identifying themselves. We argued for computer users' rights
> to remove spyware from their own computers and to teach
> others how to do so. EFF fought and won court cases
> protecting the anonymity of on-line critics. Through these
> cases, we helped extend the U.S. tradition of legal
> protection for anonymous pamphleteers firmly into the on-line
> world.
>
> Xerox goes on to say that we should actually be reassured by
> the tracking, since it's for our own protection. "Many
> products–cars, food, medicines, computers, toys and many
> more, have such features for the protection of customers.
> French wines put this proudly on their label."
>
> While it's comforting to know that our office equipment has
> something in common with a fine wine, our privacy is
> threatened in a particular way by tracking systems embedded
> in our communication technologies, in a way that it is
> typically not threatened by toys or beverages.
>
> For the full Xerox statement:
> <http://www.eff.org/Privacy/printers/?f=xerox-statement.html>
>
> For more analysis:
> <http://www.eff.org/deeplinks/archives/004151.php>
>
>
> * Anti-Cell Phone Tracking Judicial Revolution Spreads to NYC
>
> One more magistrate judge refused to allow the government's
> practice of secretly using cell phones to track people
> without probable cause–this time in the Southern District of
> New York (Manhattan). The magistrate judge declined to grant
> the government's request "without further briefing from the
> Government concerning the propriety of issuing these orders."
>
> The SDNY judge sought further briefing due to an August
> decision from a magistrate judge in the Eastern District of
> New York (Long Island) denying a similar government request.
> The government provided a letter brief in support, and, upon
> the court's request, the SDNY Federal Defender's Office
> responded last week with an amicus brief in opposition.
>
> The US Attorney for the SDNY faces an uphill battle: Two
> courts (the EDNY and the Southern District of Texas)
> considered the government's arguments so far, and both found
> them completely unpersuasive. Recognizing the importance of
> this decision, both magistrate judges urged an appeal in
> order to allow a Circuit Court to rule on this pernicious
> practice.
>
> Nevertheless, the US Attorney's Offices in those
> jurisdictions elected not to appeal the adverse decisions.
> This has not prevented the SDNY US Attorney from moving
> forward here, however. Distressingly, the government's brief
> reveals that US Attorneys offices all over the country have
> "routinely applied for and obtained court orders [compelling]
> cellular telephone companies to report…cell site data, for a
> particular cell phone on a prospective basis."
>
> EFF applauds those judges and magistrates who care enough
> about your rights to challenge the government when it makes
> these unsubstantiated requests for cell site data.
>
>
> For more on government cell phone tracking:
> <http://www.eff.org/legal/cases/USA_v_PenRegister/>
>
> : . : . : . : . : . : . : . : . : . : . : . : . : . : . :
>
> * Nonprofit Coalition Wins Challenge to Federal Watch-List
> Policy
>
> EFF and 12 other national nonprofit organizations won their
> battle against a government fundraising policy that required
> checking employees against terrorist government watch-lists.
> It's a big victory for free speech and privacy–not to
> mention the nonprofits and the federal employees who want to
> support them through the Combined Federal Campaign, or CFC.
>
> CFC allows federal workers to donate to charities with
> automatic payroll deductions, and it raises hundreds of
> millions of dollars every year for thousands of
> organizations. But CFC rules put in place last year would
> have forced us to check all of our employees and expenditures
> against several anti-terrorism "black lists" of people and
> organizations that the government suspects are linked to
> terrorism.
>
> EFF withdrew from the program in protest. We knew that those
> watch-lists are created by the government with secret
> information that is notoriously unreliable and we refused to
> violate the privacy of our clients and employees. But now
> that the federal government dropped the list-checking
> requirements, EFF will join the CFC again. We hope that our
> members will support us and the new policy by donating to EFF
> through the CFC.
>
> Press release from the ACLU:
> <http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID239&c 6>
>
> : . : . : . : . : . : . : . : . : . : . : . : . : . : . :
>
> * miniLinks
> miniLinks features noteworthy news items from around the
> Internet.
>
> ~ DRM This, Sony!
> CNET's Molly Wood lays the smack down on Sony and their
> deceptive DRM.
> <http://www.cnet.com/4520-6033_1-6376177.html>
>
> ~ Forrester Grieves for the Music Industry
> Suggests they're passing through denial, anger, bargaining,
> depression–and hopefully, one day, acceptance.
> <http://www.forrester.com/Research/Document/Excerpt/
> 0,7211,36036,00.html>
>
> ~ DRM Crippled CD: A Bizarre Tale
> Market strategist Barry Ritholtz fumes at the idiocy of copy-
> restricted CDs.
> <http://bigpicture.typepad.com/comments/2005/10/drm_crippled_cd.html>
>
> ~ DRM and Universities
> A sad, first-hand account of academics demanding DRM for
> their own lectures.
> <http://ono.cdlib.org/archives/shimenawa/000198.html>
>
> ~ Computer HDTV tuners down to $150
> In a market that would have been eliminated by the broadcast
> flag, competition works its magic.
> <http://www.fusionhdtv.co.kr/eng/Products/HDTV5usb.aspx>
>
> ~ The Hole Truth From Wendy Seltzer
> Brooklyn Law prof and EFF alumni deconstructs last Thursday's
> broadcast flag hearing.
> <http://cyber.law.harvard.edu/home/home?
> wid&func=viewSubmission&sid