Rootkit revisited: Technology Review

Technology Review: Inside the Spyware Scandal. The MIT journal attempts to reconstruct everything that happened with the Sony BMG rootkit brouhaha (for details, see the Boycott Sony blog).

A reasonable recap of everything that happened, with a few revelations: First 4 Internet was originally hired to protect studio recordings from prerelease leaking, and the broadly disseminated rootkit technology just kind of happened along the way. Second, Sony BMG initially didn’t respond to F-Secure’s questions because the security company contacted the wrong Sony subsidiary. There won’t be any real answers unless the legal proceedings still underway uncover them; both First 4 Internet and Sony BMG declined to comment for the article, which kind of limits the scope of its revelations.

I’m quoted in the article about the Boycott Sony blog and my reaction to it, though I’m morphed inexplicably into a Web developer.

Unfortunately the article comes down on the side of arguing that there has to be some kind of “good DRM,” that all Sony did was err in how heavy-handed and covert its attempts to apply DRM were. I’m not sure I agree any more. I certainly don’t think the answer is going to come in trying to make something “consumer friendly” that limits your rights.

Who wants another DVD format anyway?

That’s the question I asked when the PSP came out, with movie capabilities — provided you bought the movies in the new, incompatible UMD format. A post at the end of last week on Wired indicated one of the business challenges such a format switch provides: getting the retailers to stock the disks. If Wal-Mart doesn’t see the value in carrying your product, it’s a pretty clear indication that you might want to head back to the drawing board.

The comments thread on the story suggests additional problems, such as lack of any UMD burners or home UMD players on the market. The last time we had multiple content formats coexisting on the market, each had a clear place—records lived at home, cassettes went with you in the car or a Walkman—and more importantly you could copy from one to the other. Ever since then, every new technology that was marketed as an “alongside” format, rather than an out-and-out replacement, has gone by the wayside (see: MiniDisc and DAT, which only survive as recording media rather than content sales).

Sony at it again: DVD based rootkit

I hadn’t been actively looking for Sony DRM links since putting the Sony Boycott blog on pause, so this one came as a surprise: an advisory from F-Secure that a recent Sony DVD (the apparently not completely execrable Mr. and Mrs. Smith) has rootkit-like behavior. The DVD contains DRM from Settec, which is designed to hide itself on the hard disk of anyone who plays the DVD on a Windows computer.

F-Secure posted this back in February; I found it from a few blog links. The usual suspects never commented on this as far as I know—perhaps because the DVD in question was only released in Germany.

Still. This is Not Good.

How not to capture the digital music market

A week or so ago, when Apple announced its iPod Hi-Fi speaker system, the Wall Street Journal published a fairly penetrating article about the impact of digital music on the hi-fi audio market. Interesting points: customers seem to value portability over sound quality (home audio equipment sales dropped 18% in 2005 while digital music player sales tripled).

As someone who’s doing a lossless ripping project to turn all his CDs into digital music files, who has spent some time and money connecting his home audio system to his wireless network, and who owns an iPod, I think there are several explanations for this. First, a lot of people can’t tell the difference. Really. Second, the convenience of searching by song on services like iTunes and Rhapsody (but not, ironically, eMusic, whose text-searching facility is horrible), encourages digital downloads for impulse purchases at the expense of other music purchases (no more buying an album just because you liked the single, or a greatest hits compilation because it reminds you of high school). Third, it’s not out of the question that people might want multiple iPods. I keep being tempted by those $99 1 GB Shuffles, for instance. Fourth, there are real advantages to being able to take the music that you listen to on your home system with you on your iPod in the car, on the subway, and on a plane.

Which may explain the last paragraph of the article, which describes a new service, MusicGiants Inc., that sells “lossless” downloads from “the same major-label content sold by services like the iTunes Music Store” for a 30 cent premium. Except, of course, that the files are encoded as lossless Windows Media Audio files (version 9 encoder), which won’t play on an iPod or a Mac and carry Microsoft’s Windows Media DRM; the service is only available for Windows XP computers; major independent acts like Spoon, whose entire back catalog is digitally available elsewhere, or even Sleater-Kinney, are absent from the service

All this goes a long way toward explaining the last sentence: “Sales,” says the Wall Street Journal dryly, “have been slow so far.” Well, duh. Fighting iTunes’ DRM with someone else’s DRM isn’t the way to go. I would go so far as to say that the only other horses in the race are eMusic, which sells relatively high quality VBR MP3s of independent music with no DRM attached for around $0.25 a track (based on 40 tracks for $9.99 a month), and Rhapsody, who have a deep catalog and an all you can eat business model (albeit with draconian DRM: if you stop paying for the service, your tunes stop working). Those are different business models with different benefits to the customer. The digital music market is big, but so far it’s not big enough to support undifferentiated services offering the same content, only with different DRM.

Tagging and iTunes: a roundup

As someone whose digital music collection keeps growing (now filling, despite my previous pledge, all but 15 GB on a 270 GB drive), I am always alert for new ways of managing the mountain of music. One trick that has been productive has been putting track metadata, including lists of musicians, actual recording dates, and keywords like “cover” or “remix,” in the Comments field of each track. This is a more staggering task than even I imagined, for a couple of reasons.

The first reason is the domain: even rock bands usually have north of four people involved in a given song, and when you look to jazz tracks, the task of manual data entry becomes huge. Also, unlike with iPhoto (or Flickr or del.icio.us), there is no concept of a discrete “tag” for a music track—in iTunes or anywhere else, as far as I can tell. Everything must live inside an unstructured comments field. So each item must be added manually, and God forbid you want to remove a tag from more than one item.

I had created an AppleScript to cope with the first challenge, a simple script that puts a user-defined keyword at the end of the comments block. But in a recent MacOSXHints article and its comments, I was exposed to a host of other solutions and am convinced it will be easier for me just to adopt someone else’s approach.

I’m tempted by the approach of managing iTunes tagging with Quicksilver, but I have actually given up using Quicksilver as it tends to slow to a crawl on my 1GHz G4 PowerBook. The approach of Common Tater looks good, but I’d rather have a small atomic script than a monolithic application, and it hasn’t been updated in quite a while. TuneTags has the same objection, plus the fact that its XML-like markup is too big to fit comfortably inside the meager 255 characters given for comments on a track.

I look forward to checking out Christopholis’s TuneTag (no relation) and the Add/Remove Tags scripts from dwipal. But ultimately the AppleScript solutions will need to yield to either a cross-platform iTunes plugin with a consistent tag separator methodology (semicolons? asterisks? XML? <T>?) or to a dedicated tag feature implemented by Apple. I’ve never understood why iTunes never got tags and iPhoto has had them since the beginning.

Boycott Sony blog goes quiet, for now

Sony Boycott Blog: Farewell, for now. I think it’s time to move into new challenges: like, having raised awareness of the dangers of DRM, how do we act to keep DRM free music alive? I will be embracing those issues in my new DRM category here on the blog and look forward to getting your ideas and input.

On a technical note, does anyone know how to prevent new comments from being added to a WordPress site while still allowing old comments to be displayed? Turning comments off on a post appears to delete all the post’s comments.

And, speaking of DRM awareness, check out this piece on David Byrne’s blog about DRM:

Happy New Year. Don’t Buy CDs from the Big 5.

CDs from the big five run the risk of damaging your computer, opening you up to security risks, and you can’t rip the music onto your iPod. Stop buying CDs now. At least until they guarantee us that they will never try this sh*t again.

O.K., I’m exaggerating, but if I need to carry around a list to know which CDs I can safely buy it’s getting out of control.

New iTunes script: Increment Playcount

I’ve uploaded a bare bones AppleScript that I’ve found useful over the past few weeks. The script, Increment Playcount, does what it says: it bumps the playcount of a track in iTunes by 1 and sets the Last Played date to the current date and time. It’s been helpful to me because many of my smart playlists rely on knowing if I’ve heard a track or not, but unfortunately sometimes my iPod doesn’t sync playcounts—and sometimes my iTunes library gets blown away, losing all playcount information.

To use the script, unzip it, drop the script in your Library/iTunes/Scripts folder, go to iTunes, select one or more tracks, then select Increment Playcount from the scripts menu.

More detail about this and my other AppleScripts on my Software page.

Don’t celebrate the end of DRM?

Interesting post on the faculty blog of the University of Chicago Law School, by professor Doug Lichtman, that argues that the end of DRM would be disastrous for the music industry and music lovers. He suggests that without DRM, the industry will have no incentive to invest in music or will develop some other draconian response to piracy, such as streaming music to proprietary players. He also argues that improvements in labeling law or changes to the law to prevent the use of DRM as draconian as Sony’s would backfire, as this would lead to legislating over what types of DRM are permissible.

It’s good to see someone even try to argue the value of DRM after the whole Sony rootkit fiasco, but in this case Professor Lichtman has it wrong.

First, as Doug Lay points out in the comments, imagining the major labels moving to supporting only a single proprietary player leads to some interesting speculative schadenfreude. Certainly it’s easy to imagine the major labels continuing their downward spirals by fragmenting the playback market and alienating their channel. But just because the solution to come might be further detrimental to the labels’ interests is no reason to keep an antipiracy solution that has been proven harmful.

Second, Professor Lichtman suggests that the law needs not only to require better labeling for DRM but also to identify what is and is not allowed:

DRM of the sort adopted by SonyBMG might similarly be so bad as to beimpermissible. But then we need to say more about what forms of DRMwould be permissible, just as we similarly today allow shopkeepers toput locks on their doors, call the police in the event of a burglary,and so on.

If I’m not mistaken, there are a few lawsuits out there that point out ways in which Sony BMG’s DRM is in violation of existing laws against spyware, computer fraud, false or misleading statements, trespass, false advertising, unauthorized computer tampering, and other generally consumer hostile acts. I think this point of Professor Lichtman’s is a red herring. As Doug Lay points out, we don’t need new laws, we need Sony to be punished for violating the laws they’ve already done. In fact, I’m not sure I’d say that legislation against DRM is needed at this point even after this case, and perhaps on this point I do agree with Professor Lichtman, though for different reasons. I think we still need to see what the market, competitive pressures, and general customer awareness will do to address the labeling problem, and in the meantime the fallout from lawsuits will hopefully force Sony BMG and other labels to reconsider their choices.

Finally, Professor Lichtman assumes that the major labels’ investment in music somehow creates value for the musician and the customer. I’m not going to comment except to point out that the list of XCP infected discs contained albums by Celine Dion and Our Lady Peace. And I’m not sure how anyone could construe putting XCP on discs of reissued material by Dexter Gordon, Louis Armstrong, Art Blakey, Shel Silverstein, Horace Silver, Gerry Mulligan, or Dion, all on the XCP list, as constituting protecting an ongoing investment in music.

(Originally posted on the Sony Boycott blog. I don’t normally crosspost material like this except for my music reviews, but thought there might be some readers here who aren’t following the Boycott blog who might find this discussion interesting.)

Weekend update, and Boycott Sony on the air

I have a fair number of updates from the weekend to post, including Justin Rosolino’s gig at Club Passim, the annual Old South Thanksgiving service at the historic Old South Meetinghouse, and the (all-but) completion of our bathroom renovation—not to mention a CD review. But in the meantime, check out the Sony Boycott blog, where things have been popping now that the mainstream media has picked up the story. And be sure to listen in when I go on the air to discuss the Sony situation, in about fifty minutes.

New phase for Peregrine

News.com: HP to buy Peregrine for $425 million. That HP is building out its IT Service Management toolset is unsurprising; most of the company’s ITIL strength is in service delivery with availability and capacity monitoring, while its core service desk capabilities are weak or nonexistent. That’s a problem in this market, where the service desk is increasingly becoming a process center of excellence for IT Service Management and is an important part of any ITSM offering.

But that they would acquire Peregrine? Word on the street was that Peregrine was coming out of its near-death experience after its 2002 accounting scandals. But the company has still essentially lost much of its former market leadership. HP has gone into a lot of deals with Peregrine, so they must be pretty comfortable with their technology. The deal price is about 2.2 times annual earnings, so while not a bargain, it’s not a rip-off either. And the deal puts HP eyeball to eyeball with BMC, who purchased the other market leader, Remedy, from Peregrine three years ago. What a weird market.

Disclosure: My firm, iETSolutions, is another major player in this market, and my comments don’t reflect the opinions of the firm.

massDeleteManila: AppleScript for mass spam deletion

After the carpal tunnel moment earlier today, I decided to look on the bright side of spam. I updated my hoary old ManilaHandler AppleScript to add support for the Manila.message.delete method (and at the same time bundled the support script SOAPXMLRPCHandler into the body of the script). And I wrote a simple AppleScript, massDeleteManila, that takes a comma delimited list of message IDs and deletes them.

The UI isn’t elegant. You need to type or paste a comma delimited list into a dialog box. Plus no progress bar. But it works, and it is a lot faster than deleting spam through the web UI.

My suggested workflow for using this on your own Manila blog:

  1. Copy and paste the table for your discussion group topic listing page showing the spam messages into Excel.
  2. Copy just the message IDs and paste them into BBEdit (or another word processor).
  3. Search and replace: replace paragraphs with commas.
  4. Run the massDeleteManila script and paste the comma-delimited list of message IDs into the first dialog box.
  5. If you haven’t filled out your blog URL yet, type it in, along with your username and password.
  6. The script runs silently until all the messages have been deleted.

The massDeleteManila script is available for download. I provide it so that other Manila users, such as the Berkman bloggers, can benefit. Please use it carefully—there’s no easy way to undelete messages in Manila, and I cannot provide support if you accidentally delete important content. Note that you may need Tiger to run the script—I haven’t been able to test it under Panther.

Peer review process artifacts

High time, I think, that I started a dedicated news item department for software development. For one thing, I’m increasingly thinking about software processes as we move further along the planning for our next release. For another, I tend to think about and comment on these things a lot already, in departments like Internet, and I’m too categorical a thinker to be happy with that grab-bag category.

So to kick it off, a link to a site that’s been in a tab of my browser for weeks: Goodies for Peer Reviews from Process Impact. This is a set of documents, provided as shareware, that includes both sample artifacts and a strawman process. Unfortunately, the process is so well defined as to be almost useless in a small firm, but at least it provides good food for thought as well as showing some considerations that may need to be managed for larger teams.

In defense of plain ol’ SQL

Philip Greenspun Weblog: How long is the average Internet discussion forum posting?. I’m less interested in Philip’s answer than I am in the methodology: simple SQL select statements that give you very important product design data.

People talk about “data mining” and “business intelligence” as though they’re complicated, new skill sets, but really all you need sometimes to make the right call is a simple SQL query. And the right data set, of course…

Integrating Google Maps

Mac OS X Hints: Map Address Book addresses via Google Maps. This is the sort of low tech URL-based hack that is perfect for AppleScript, and very easy to debug.

An older Mac OS X Hints article discusses the plug-in capability and provides another sample script. From that, it looks like you capture the field to which you’re adding the contextual menu using an “on action property” handler; the title can be set with “on action title”; and the actual code is in the “on perform action” block.

Other address book plug-ins:

  • iCal Scripts (Apple): schedule a call, create a “birthday event” (reminder), or create an event associated with the person
  • Dates and SMS Scripts (Daniel Browne): send an SMS message via a Bluetooth phone, email, or AIM
  • Skype call (bertlmike): open a Skype call

The plug-ins can also be written in Cocoa or Carbon.