72 comments

[ 3.5 ms ] story [ 142 ms ] thread
Also interesting: Sony sold laptops with hardware-based virtualization disabled:

https://www.tweaktown.com/news/12956/sony_disabled_cpu_virtu...

It's unclear why they did that, but preventing DRM circumvention might be one reason.

IME most consumer laptops (that aren't Chrome books which have definitely taken over) at best have virtualization turned off (so you can turn it on, potentially breaking some Windows thing.)

I've given up on any kind of pre-built piece of consumer electronics more complex than a microwave and newer than the original iPhone at this point. Something happened and it's impossible to get anything that doesn't actively fight you.

> at best have virtualization turned off (so you can turn it on, potentially breaking some Windows thing.)

Yes, but there was no way to turn it on (as the linked article explains)

> (so you can turn it on, potentially breaking some Windows thing.)

Actually, you must turn it on if you want to use Hyper-V and/or WSL2.

Windows 11 licensing requires oems to sell machines with it turned on. MS uses it for a security feature called core isolation.
I think the issue from an OEM perspective is that if their product isn't fighting the consumer, the consumer will use the product to fight them. Which isn't totally unfounded.

Apple doesn't want to spend the man hours (or charge the cost) of unfucking iphones that regular consumers fucked with all the freedom they have.

Don't mistake this post as a defence of Apple or the like. It's merely a recognition of the issue from their side.

There's an easy solution for this: Make it clear in settings what the risks are if you screw up your device, and also what the repair cost will be. And then charge enough to cover the cost of training new technicians and their salaries.
Apple lets people fuck their devices regularly with their app choices. The appstore doesn't protect anyone against malicious apps that pass validation. I don't see how its any worse than letting us sideload after tapping through a scary warning.
Wow. Given that weev was sentenced to 3 years in jail for collecting accidentally accessible e-mails from a website [1] (a far lesser privacy invasion than the mildest of Google's telemetry), I can only imagine how packed prisons were with Sony executives for this!

[1] https://en.wikipedia.org/wiki/Weev#AT&T_data_breach

> leak Auernheimer was a member of the hacker group known as "Goatse Security" that exposed a flaw in AT&T security in June 2010, which allowed the e-mail addresses of iPad users to be revealed. The flaw was part of a publicly-accessible URL, which allowed the group to collect the e-mails without having to break into AT&T's system. Contrary to what it first claimed, the group revealed the security flaw to Gawker Media before AT&T had been notified, and also exposed the data of 114,000 iPad users,

You know that someone leaving their front door open by accident is not an invitation or an excuse to enter and collect whatever you want, right? Especially when you're a complete and total piece of shit, some jail time is not an overreaction ( if it was a normal human being, leniency for a first offense is natural and to be expected).

As for Sony execs, if only that was the first case white collar crime was brushed off.

I’ve heard the “leaving your door open” thing before and I don’t think that’s a good analogy here. That’s not how the internet works. I send requests to other machines and ask them for stuff and whether they respond or not is on them. That some folks make terrible decisions when it comes to how they store their data isn’t really anyone else’s problem. A better analogy might be “In the uk, if you leave something on the pavement outside your house then you don’t want it anymore and it’s Ok if other people take it. I decided to leave a stack of personal data there and someone just took it.”
> I send requests to other machines and ask them for stuff and whether they respond or not is on them.

So by this logic, SQL injection is perfectly fine? RCE is perfectly acceptable too? After all, my machine is just asking for stuff and the other machine is responding in a way its code tells it to.

The open door analogy fits pretty well here, really. Just because you see an opening doesn’t mean you’re allowed in.

This is silly. It was a publicly accessible URL. A better analogy would be leaving your window blinds open and being upset that your neighbors can see you inside your home. Your neighbors aren't at fault, you are, and you can face criminal charges if you do something lewd inside your home while visible from public property. AT&T is completely at fault here for publicly distributing private info.
For an analogy who went all the way up to the Supreme Court see: https://news.artnet.com/market/arne-svenson-neighbors-photog...
This woman was not guilty after doing this with special equipment, a telephoto lens(!).

There was also that guy in another case sitting in his kitchen naked while drinking coffee and reading the morning paper. Some woman decides to walk into his back yard with her kid, sees him, and called the police on him for indecency...it took years for him to get let off and cost him a ton of money to not get any penalties. He was nearly held liable for what someone saw inside his house when they had to be trespassing to see it!

This case should be held up as a troubling indictment of current legislation, not held up as an example of freedom of expression.

It also happens to be irrelevant to the case above, as it seems to have been specifically decided on the merits of the photographs as Art. It would be hard to claim that leaking the emails to Gawker was a form of art, so it may well have ended up differently.

Another major difference is that Svenson intentionally omitted faces, so determining identity is very difficult. Leaking emails to Gawker for users' AT&T accounts is partially identifying its users, so it could even be considered a hostile action (against either AT&T, its customers, or both).
If that is hostile, then what is ISPs selling browsing data [1]? Google gathering location data even on those who opt out? Facebook gathering contacts lists and text messages [2]?

And no, not selling that data doesn't make the act non-hostile. If company X possessing that data is hostile, why is Facebook/Google/AT&T/Microsoft having it any better? Because of their saint-like reputation?

[1] https://www.howtogeek.com/724472/do-isps-track-and-sell-your...

[2] https://www.cbsnews.com/news/facebook-gathers-texts-phone-da...

For anyone confused, this wasn't argued before the US Supreme Court, it was argued before the NY State Supreme Court, which _isn't_ the highest court in the state (that's the Court of Appeals).
In this analogy, responsible disclosure would be something like I take a peek in your window and then let you know that I can see inside, and then you can take appropriate action since you probably didn't know your blinds were open a bit.

What weev did was more like set up a 3d scanning apparatus outside the window and create a perfect 3d scan of my entire house through the little opening in my blinds.

I still disagree. Those other systems are not the web. If i can look at a url and get your secret data, that’s on you. I think the other reply who gave the analogy of leaving the blinds open was a better one than mine.

[ and just off-topic slightly, yes, I think RCE and SQL injection are perfectly fine. ]

>I still disagree. Those other systems are not the web. If i can look at a url and get your secret data, that’s on you. I think the other reply who gave the analogy of leaving the blinds open was a better one than mine

With you so far...

>[ and just off-topic slightly, yes, I think RCE and SQL injection are perfectly fine. ]

WTF?! Seriously? There's a huge difference by tweaking the content in a query string of a URL vs injecting known malicious code/content.

Yes, seriously, and I have thought about this a lot. I appreciate it’s not a popular position and I’m not likely to win any debates on the topic. If a computer is voluntarily connected to the internet then it’s there to explore and there should be no penalties for getting into those machines and looking around by connecting remotely. Malicious outcomes in the real world, obviously this is different. Hack in, look around, fine. Hack in, explode powerstation, not fine.
I am inclined to agree - intent matters.

RCE/SQLi, then contacting the relevant company to notify them about the problem, shouldn't be a crime. RCE/SQLi, then dumping all the data and exorting the company with it, should definitely be.

> Malicious outcomes in the real world, obviously this is different.

I definitely agree with you on this point. If someone looked in my window from the street and saw me eating breakfast, no harm no foul. If I didn't want them to see me I should have closed the blinds. But if someone sets up a camera at the exact same spot and streams it to twitch, I feel like I should have some recourse. (I don't think, legally, I would, but ianal).

In general, yes, absolutely.
I wonder how this works with scraping. If I automatically scrape and store sensitive data by accident, surely that would be the site's fault?
> You know that someone leaving their front door open by accident is not an invitation or an excuse to enter and collect whatever you want, right?

Did I claim it was? I accurately described the e-mails as "accidentally accessible" (since I don't think what weev did rises to the level of "using an exploit"), and contrasted the severity of the act with what Sony did, and the severity of its consequences for consumers with what Google and others routinely do.

> Especially when you're a complete and total piece of shit

Then charge him with "being a piece of shit". But given Sony's, Google's, Microsoft's,... general behavior, he's not the only one that could be accused of that.

It's like leaving the front door open for a laundromat. If it's open it's expected to be ok to enter and use.

Both the internet and the laundromat go by "If it's publicly accessible, it's publicly available."

The AT&T emails were what they got him on, but they were mad at him for a lot more than that. Do some research if you’re curious. Smart guy with a lot of wasted potential.
Our modern legal system only has time to consider justice for the rich.

Everybody else needs to be made an example of.

Most funny is that Sony themselves apparently violated copyright with the rootkit itself: It included code of the LAME MP3 encoder, mpglib, FAAC and others, and they didn't adhere to the licensing requirements of these.
Would definitely not agree to it, but at least it's not as bad as what's going on in your average iPhone or Android.

Someone said "put Sony executives in jail for this", but for each of those executives we would have to jail a dozen executives from Microsoft, Apple, Google, Dell, HP, Intel, AMD, and more.

You are right.

It begs for a persistent, searchable list of such known violations along with the publicly traded entity name (e.g. Sony) and list of division heads (e.g.Shunsuke Muramatsu) that may have held relevant executive positions at the time.

Personally I feel like the power and money you get from being an executive should be counterbalanced by taking legal liability for crimes committed by the company under your watch. Yes we'd need to put a lot of people in jail if we did this, but it'd discourage future crimes I feel.
Sony's two mistakes were installing a rootkit if the EULA was refused and not mentioning some of the software in the EULA. Modern devices often invade more of your privacy, but they aren't doing it criminally.
Like banks being too big to fail, these execs are too privileged to jail.
Today's equivalent would be if sony silently rooted your phone so their software could monitor and disable unauthorized music playing on your device, still very very wrong
We'd have to imprison dozens? The US has millions of people in prison, a few dozen would be no problem at all.
> Someone said "put Sony executives in jail for this", but for each of those executives we would have to jail a dozen executives from Microsoft, Apple, Google, Dell, HP, Intel, AMD, and more.

How about we actually start to hold executives accountable and put them into jail when they fuck up? Executives get seven, sometimes eight figures a year in compensation, but face virtually no risk - even if they do fuck up, they get golden parachute packages.

Part of why especially the Android ecosystem is rampant in malicious advertising, tracking, malware, fake advertising, fraud and other issues is because no one gives a shit to hold bad actors accountable. Just look at the current "Evony: The King's Return" advertising campaign - everywhere on my phone from Twitter to Youtube I almost exclusively get their ads despite there having been media coverage of their ads being fake [1] two goddamn years ago.

Youtube, Twitter, Google - no one cares about blatant spam and fraud for years. This shit has got to stop, and preferably sooner than later!

[1] https://www.thegamer.com/someone-made-the-mobile-game-from-t...

The kid me was so enraged by that incident that I have still not bought a Sony product.
Likewise! They completely destroyed their brand as far as I'm concerned.
And even after that, Lenovo still stumbled with the Superfish/SSL Hijacker incident.
The original blog post from Mark Russinovich who discovered the rootkit...

https://web.archive.org/web/20150317040653/http://blogs.tech...

TIL the CTO of Microsoft discovered the Sony rootkit.
Looks like he also created the sysintenal debug tools for Windows, which brought him to Microsoft after they bought them.
Russinovich is also the author of the Sysinternals tools, some of the most useful for problem solving on Windows machines. He also discovered a rootkit in Norton around the same time.

https://en.wikipedia.org/wiki/Mark_Russinovich

Quite an interesting guy.

I wrote a good portion of MediaMax. I told them it was illegal when they asked me to load the driver before the user accepted the EULA. They said it was a legal 'grey area'. I quit shortly there after. AMA
Can you tell us what the driver actually did? How did it "prevent" piracy, and what are your feelings about the allegedly bad software quality?
The driver was pretty simple. When a CD was inserted, it checked for a watermark and if there, returned pseudo random sectors of data. To play the CD on PC required using their software player. The software player had the ability to rip the CD to .wma files and this was how you were supposed to use the CDs. This only affected playback on PCs. CD audio players played the discs as normal CDs.

I never thought it would prevent piracy. They said it was a success even if only a small percentage are stopped by it. I didn't believe in the software but I do believe in copyright so I took the job. The software was put together by 4 guys on a shoestring budget. It's amazing it worked at all. People read into this and think big Sony/BMG money but in reality it's tiny contractors. Some of us were doxxed back then and was a pretty horrible experience all around.

Thanks for responding, it's quite interesting story.

> When a CD was inserted, it checked for a watermark and if there, returned pseudo random sectors of data.

So, if the driver was not running in the machine, the disc would be a standard Data+AudioCD? Nothing else to stop reading it as a generic music disc?

Autoplay. One of the single most stupid default settings in Windows ever since Windows supported removable media, which is a while ago. It's up there with the default of hiding full file names from you.

Basically, if you inserted the disc, Windows would see the data partition, and "helpfully" run the installer for you. Then you'd have the driver installed, and it would block access to read the disc as a generic music disc.

It was also a massive usability boost. The process of "insert installation CD" then "nothing happens" was a bad experience for an extreme segment of the user base.

In 1995 the idea of commercial products being adversarial is low. For the very few cases of the driver they install being unwanted, there's countlessly more cases of it being wanted.

This wasn't "secure by design," it was "usable by design." And for 99.9% of the people, it was likely both.

Yep that's right. It relied on autorun to install the driver when the CD was inserted. If that was disabled and the driver never installed then it was just normal 'bluebook' CD.
> People read into this and think big Sony/BMG money but in reality it's tiny contractors.

There's a general trend for people to treat the happenstance actions of individual workers as fully-intentioned top-down decisions of a unified, hivemind multi-billion dollar entity. A previous employer of mine has been in the news for things where a shortcut by a single lazy engineer was interpreted as a political attack on free software.

Here's a video about this rootkit made by one of the Windows developers from that era. All of his videos are very entertaining and a unique look into Microsoft engineering from the 90s and early 00s.

https://youtu.be/PqWjq2SdzpI

Years ago this YouTuber did some paid voice work for me, narrating dozens of my site's non-fiction articles for an audio book. Fast forward a few years, and he started making his own videos about the exact stories he narrated for me. Dozens of them. It's not technically violating copyright law, but it is parasitic and backstabbing.

A few examples:

Me: (October 2020): https://www.damninteresting.com/how-miss-shillings-orifice-h... Him: (November 2020): https://www.youtube.com/watch?v=zBkAVE7cspw

Me (2006): https://www.damninteresting.com/it-came-from-above/ Him (2017): https://www.youtube.com/watch?v=LbPG8jSud14

Me (2006): https://www.damninteresting.com/the-crypt-of-civilization/ Him (2021): https://www.youtube.com/watch?v=W0pduckpU-A

I recently had someone look through his catalog, and so far he has over 70 videos that seem to be strongly "inspired" by my site's work. I worry he'll shamelessly gobble up everything I have created. Google is already burying me in the regurgitations. Blah.

Apologies for the rant, it just pains me to see these poachers reaping all of the rewards for others' research and leg work.

What a snake. You should make a video calling him out with proof, forcing him to respond. Post it all over Reddit/HackerNews etc;
The pain is justified. Social media can be a cruel and hypercompetitive place. Maybe you need better advertising?
> It's not technically violating copyright law

Are you sure about this?

Months ago I spoke to an IP consultant who had previously helped me when another writer plagiarized my work; the consultant felt this YouTuber's behavior is not actionable, just scummy and shameless. And the YouTube terms of service don't seem to prohibit this sort of parasitism.
Why didn't you create your own YouTube channel?
I do hope to dabble in video content some day, but making videos is not yet in my skill set, so it'll take a lot of work to get there. In any case, I don't think I'd put my videos on YouTube, that algorithm seems toxic for creators.

There's also the unpleasant fact that somebody else is already filling YouTube with content based on my catalog. Despite having done the original topic selection and research, I'd look like the johnny-come-lately.

Thank you for justifying my intense dislike of Simon Whistler.
Oh wow, and that is a prominent YouTuber too. I'm subscribed to him, though haven't been watching his videos lately since they started feeling a bit too content-farmy. Definitely gonna be thinking about looking into this further and possibly raising some stink.
As an aside, just went through and read some of your articles, they do indeed live up to the site’s name.
Most people don't even know what a rootkit is, so why should they care? Additionally, Sony should do it again if they get the chance!