Broadband Tech > Security > Security > Microsoft will wipe Sony's 'rootkit' and more

reply to Mowergun

Re: Microsoft will wipe Sony's 'rootkit' and more

reply to Mowergun
I'll bet Spitzer would love a piece of this.

reply to redxii
Yes, but what lawyer would turn down deep pockets like Sony when they want to sue you into oblivion?

reply to K McAleavey

reply to K McAleavey
First of all, IANAL... but I can see the logic of your argument... you are not breaking the protection. You are simply restoring the system to the state it was in prior to the disk first being inserted. When the user reinserts the CD after your program has run, the user must agree to the EULA in order to listen to the music (and reinfect themselves). I fail to see much difference between this and say the user reinstalling Windows. If your application also turned off the user's auto-insert notification, that might be problematic... there was that furor over the guy telling folks about the shift key, as I recall...

However, the legal risks, nevermind being right about things, may not be worth it.

On another note, I'm wondering why a user can't just run a decloaking utility and then delete their CD drives from the device manager. Upon reboot/redetection, does the filter get reinstalled?

reply to SanJoseNerd
It certainly has been a major distraction, both in terms of worried customers, as well as having to document things that normally only occupy a few seconds of lab time normally.

There's a litany of items on the repercussions on google:

»www.google.com/search?q=dcma+cop···tion+law

And there IS a challenge to this silliness before congress ... HR 1201 ...

DMCRA
From Wikipedia, the free encyclopedia.
Jump to: navigation, search

The Digital Media Consumers' Rights Act (DMCRA) is a direct challenge to portions of the DMCA, and would intensify FTC efforts to mandate proper labeling for copy-protected CDs to ensure consumer protection from deceptive labeling practices. It would also allow manufacturers to innovate in hardware designs and allow consumers to treat CDs as they have historically been able to treat them.

The DMCRA bill was introduced to the House on January 7, 2003 as H. R. 107 by Richard Boucher (D-VA. The bill was co-sponsored by John Doolittle (R-CA), Spencer Bachus (R-AL) and Patrick J. Kennedy (D-RI).

The bill was reintroduced into Congress once again on March 9, 2005 as H. R. 1201, the 'Digital Media Consumers Rights Act of 2005'. The 2005 bill's original co-sponsors were John Doolittle (R-CA), and Joe Barton (R-TX).
[edit]

Official summary of the bill

The authors of the bill have summarized it as follows:

The Digital Media Consumers’ Rights Act (DMCRA) restores the historical balance in copyright law and ensures the proper labeling of "copy-protected compact discs".

1) Restores the Historic Balance in U.S. Copyright Law

Reaffirms Fair Use. The DMCRA provides that it is not a violation of Section 1201 of Title 17 (the Digital Millennium Copyright Act, or DMCA) to circumvent a technological measure in connection with gaining access to or using a work if the circumvention does not result in an infringement of the copyright in the work. For example, under the bill a user may circumvent an access control on an electronic book he purchased for the purpose of reading it on a different electronic reader. However, if he were to upload the book onto the Internet for distribution to others, he would be liable for both a Section 1201 circumvention violation and for copyright infringement.

Reestablishes Betamax Standard. The DMCRA also would specify that it is not a violation of Section 1201 of the DMCA to manufacture, distribute, or make non-infringing use of a hardware or software product capable of enabling significant non-infringing use of a copyrighted work. By re-establishing the principle set forth in Sony v. Universal City Studios, 464 U.S. 417 (1984), this provision is intended to ensure that consumers will have access to hardware and software products by which to engage in the activities authorized by the legislation. For example, a blind person could develop a means to listen in audio form to an electronic book which had been purchased in text form.

Restores Valid Scientific Research. The bill amends the DMCA to permit researchers to produce the software tools necessary to carry out "scientific research into technological protection measures." Current law allows circumvention for encryption research under specified circumstances. The bill will enable circumvention for research on technological measures other than encryption. The bill also permits a researcher to develop the tools necessary for such circumvention.

2) Ensures Proper Labeling of "Copy-Protected Compact Discs"

Major record companies have begun adding technology to CDs that would block people from making copies. In many cases the technology has also prevented playback on computers, DVD players, or even some standard CD players. It has become apparent that even the limited introduction of these discs into the United States market has caused consumer confusion and increased burdens on retailers and manufacturers. Consumers are accustomed to the functionality of industry standard Compact Discs and should be aware of any reduced playability or recording functionality of non-standard "copy-protected compact discs" before they make the decision to purchase such items. For that reason, the bill directs the Federal Trade Commission to ensure that adequate labeling occurs for the benefit of consumers.

PDF file here:

»frwebgate.access.gpo.gov/cgi-bin···.txt.pdf

But until changed, what SONY's pulling is PERFECTLY legal, that's what I keep getting in my face.

And like I said, as long as what we do is done for the benefit of our "private customers" no problem, but given the lack of a solution for the general public, I'd sure like to release the code I wrote for everyone else.
--
Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)»www.nsclean.com

reply to K McAleavey
Hi Kevin,

No sleep for the "evil vendor" again i see lol.

I would be quite prepared to host this BS Buster code of yours, and make it available for Everyone + Anyone.

You have my email @ so just send it to me ( incognito ) of course from a one off safe untraceable @ and i'll do it. Of course i'll use ( methods ) too and mysteriously discover it by Accident, it happens !

Make sure there's NO trace of you or BOClean in the code, Natch !

Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks

reply to K McAleavey
I suppose if you were to provide a stand-alone version of the uninstaller to your private customers and then any one of your private customers were to allow/abet the escape of the uninstaller into the public domain, then your manhood would still be in a vise?

reply to SanJoseNerd
Strange legal situation for us under New York State law - we got sued a number of years ago over a backdoor turned "commercial" called "Netbus" ... every other vendor caved to their "do not detect us" demand whereas we stood up to them in agreeing to offer removal as an "option" rather than a promise. Our legal basis for the precedent was that we were not legally considered a "common carrier" by nature of our not distributing our software to the "general public" and legally, that constituted the equivalent of a "private club" wherein we were required to satisfy the requirements of our "members" as to what we covered. Long and thin of it was that we are not held to the same legal standards as "publicly available" software. That's always been our ace in the hole over the years, and the reason why when certain "spyware" companies threatened us, we could legally thumb our noses at their requests NOT to detect them on the basis of "our customers can choose to exclude and not detect."

To our lawyers, if we cross that line and "go public" with a freebie, then that precedent could be eroded.
--
Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)»www.nsclean.com

Suppose you were to market the uninstaller separate from BOClean, but not free, perhaps a nominal price of one dollar with a EULA specifically prohibiting the distribution or use of the uninstaller on other than the license holder's computer. Would your current precedent under NY law apply, while at the same time not endangering the protection that BOClean enjoys?

reply to pog
One of the most upsetting things I ran into when trying to come up with a standalone utility that we could give away to solve the problem is that nuking the various files associated with this nasty is truly a no-brainer. Everything except for a handful of junk, extraneous files is in that \%SYSTEMROOT%\SYSTEM32\%sys%filesystem subfolder. Nuke the contents, and it's gone.

Except for that nasty crater.sys file which asserts itself into the Enum hardware registry chain as a "filter." IF you remove the crater.sys file, then your drives no longer work without manually going through the registry.

Here's where it gets ugly and why it's difficult, and why I chose to write up a quickie freebie ... even if "vendors" WANTED to just delete that stuff, doing so breaks the system. Now folks who know the registry inside out can go search for entrails of "$sys$" and fix their registry entries and bring the system back to life.

That's NOT what WE do. Our design is such that the end user doesn't HAVE to know how to edit a registry or do anything "technical" and that's always been what we do. So any CURE we were to provide would NEED to be automatic and would be able to detect ANY enum key, see if it's been hosed and FIX it. And therein is the reason why other "vendors" haven't just ripped that stuff out. It can BREAK a system. THEN what?

Going back in and removing those drive filters is the major trick in cleaning up the mess SONY caused, and doing so and then advising the victim, "clean up your registry now" is NOT an option. Therein lies the REAL rub. Folks expect an autmoatic tool to not require any further action and the situation presented by just removing the files can leave a lot of people in a nasty mess.

Only reason why *I* bothered writing the code is that we're used to making things completely "hands-off, no experience necessary."
--
Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)»www.nsclean.com

reply to Mowergun
That's what we're still bickering over internally, much to my chagrin. And THANKS, Spanner for the offer - I'm still hoping we can clear this for release and bandwidth is serious wallet hit. I'd definitely want to host it out to anyone who'd like to make it available. But given our situation legally in New York, there are issues that are being discussed further up the food chain with "Justice" as to precisely where we would stand if we release it. Irks me to no end though after writing specific code for this specific situation without it polluting what we do for our regular customers.

What I've learned from this (so far) painful experience is that the copyright laws are perhaps the worst sausage yet from our federales ... thoroughly vague, and no provisions whatsoever for when copyright holders turn rogue.

Protection of intellectual property is a valid legal concern. When it turns to backdooring systems, and exposing innocent people to violation at the hands of script kiddies, I find it INSANELY unconscionable that laws which supposedly "protect" us are turned AGAINST us. And as I said, this isn't about circumventing protection, it's about protecting against circumvention. And yet the law leaves us entirely in limbo.
--
Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)»www.nsclean.com

reply to K McAleavey

I don't disagree with the discussion in this thread and I believe it's a good thing to create awareness about the laws that govern people and how they came about.

However what confuses me here is what differs your situation from any other AV and AT company? Are you suggesting that no other AV company could come up with the removal tool and they couldn't understand how this software works? Are you suggesting that you're the only one with a removal tool gathering dust?

I'm sure every one of those companies know how to go all the way and remove everything and just like you, none of them have decided to make it public for the same reasons.

So unless you are announcing that you are making it public, there's really no difference between what you are doing and what they are doing except you're being vocal about it.

It's just a matter of principles and depending on were you principles lie, you should decide what you're going to do with it. You can decide that following this particular law would bring more harm than it does good, in which case you should break it and provide the tool to the public anonymously of course. Or you decide breaking the law no matter how stupid the law is, is not acceptable to you, in which case you burn the code.

However at least currently or unless there are some changes to DMCA, I don't believe it is legally possible to release the code and get credit for it at the same time which is what you seem to be looking for and I'm certain you knew that already.

Another workaround to this dilemma if you care, is to publish manual removal instructions, again, most likely anonymously, in any public board or on the Usenet and it will spread like wildfire in a matter of seconds.

I'm also certain that someone sooner or later will provide such a tool on the Internet and commercial companies will follow by providing some crippled version of it to cover their backs and make money at the same time. This is what the Internet community has always done and most often than not, good things are done by those who are not looking for credit.
--
You can catch the Devil, but you can't hold him long.

reply to Mowergun
MY whole point is that since what I wrote ISN'T BOClean, and ISN'T anything we currently do (no need for it for our customers) the concern among the lawyers is that it would expose the COMPANY to risk. In other words, what BOClean does, and this unique, unrelated code does aren't connected in any way other than the risk of violating DCMA and WIPO in the first place by offering a "defeat mechanism to copy protection." It's the whole interpretation of "defeating copy protection" that is the issue to our lawyers BECAUSE WIPO and DCMA are so legally VAGUE. Has nothing to do with BOClean, has to do with *US*.

The concern of course is that if we get sued for releasing, then that could harm our existing customers, thus the prohibition on the release. And according to the latest "Kevin, SHUT UP!" from them, they're discussing the theoreticals and still aren't satisfied that there's no risk. I continue to disagree because the LAW says that circumventing the encryption is the issue, whereas my OWN belief is that we're not circumventing ANYTHING by removing the DRM stuff - that any DRM software would recognize the lack of DRM "protection" and would fail to operate as the distributors intended and therefore, it would function as designed if we were to remove the surreptitiously-installed malware. My point being that this point is being lost in the continuing arguments. But I've just been RE-reminded that WE don't want to be the "test case" ... agggh.

But I *do* see why NOBODY else, including Microsoft, has the STONES to call a shovel a shovel.
--
Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)»www.nsclean.com

reply to Wildcatboy
Greetings, and THANKS for your indulgence! I was genuinely concerned about going into the degree of details for fear that some of the message would be lost.

No, I'm certain that any "vendor" could provide a solution, and frankly my major point of surprise is that they HAVEN'T. Wasn't until last Friday that I got my first glimpse of WHY, and that's the primary reason for my disdain. As it was explained to me before I spent the weekend documenting and coding, was that "the rootkit is a problem. It's CLEAR that this is a risk and any vendor is COMPLETELY justified in "de-cloaking" THAT part because it is being exploited.

But folks don't just want it to be "de-cloaked," they want it GONE and again, I was surprised that what we normally do, "byebye" wasn't the standard for everyone else to any "unwelcome intruder." What I got by expressing that was a rather intense "education" on the "sanctity" under the law for "copyright management" and WHY I already violated the principle of DCMA by the way we handled it when it first appeared (our lawyers were rather upset that we already nuked this all and nobdoy told them) ...

The BIGGEST surprise was that our own told us that we were technically in violation of DCMA by the simple act of detecting this stuff. And I spent most of the weekend reading this, that, and the other thing only getting angrier with each page flip.

But it's not a question of nobody being CAPABLE, it's a question of fear of being sued by SONY. And major companies who have assets to lose apparently ain't got the "gumption" to challenge this. I can understand the AV's not going past deleting aries.sys, we've seen enough of spyware merchants being given a pass before. But for the 500 pound gorilla (Microsoft) also bowing to this, well ... that was a bit much.

There IS a technical issue though with crater.sys ... that asserts itself as a filter in the hardware entries in ENUM in the registry - if you remove crater.sys, then the missing filter will actually cause devices to no longer exist. And since the ENUM keys are specific to specific manufacturers, you have to either walk a LOT of keys and subkeys and enums, and HOPE you don't make a mistake, or you need to have a table of EVERY hardware manufacturer's entries to successfully determine which device is a CDROM, DVDROM or hard disk and make sure to correct registry entries for each possible hardware manufacturer or a removable or fixed device. We opted to do it the HARD way to ensure that we could "de-crater" without breaking someone's system.

I guess that's why I'm so honked ... all that work ... for a freebie.
--
Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)»www.nsclean.com

reply to Wildcatboy

Upon reflection, I do not wish to post. Take me back!

reply to Wildcatboy

reply to catseyenu
Isnt manual removal already been published on the Internet?

Manual deletion of DRM rootkit service:

1. Click on the Start button.

2. Click on the Run option.

3. In the Open: field type cmd /k sc delete $sys$aries and press the OK button.

4. Reboot your computer

5. Delete C:\%WinDir%\system32\$sys$filesystem\aries.sys (Replace %WinDir% with the directory that Windows is installed on your computer)

Would anything still be lingering if this command is set forth?

reply to Question