11.22.2005

Sony's maliciousness

An ongoing story about Sony's Digital Rights Management (DRM) software that installs with some Sony CDs has created a fire-storm of protest. I, like many people, believe Sony has a right to control the copying of copyrighted material. There is no argument there. But the DRM software that Sony uses is never mentioned in the EULA, nor was there a method for uninstalling the software. Worst of all is the fact that the program hides some of its own files, opening up security risks.

This story was first uncovered by Mark Russinovich on Oct 31 of this year, where he does a brilliant job outlining the specific steps he used to uncover the rootkit. In a follow up article, Mark levels these specific complaints against Sony:
********************
  • Sony denies that the rootkit poses a security or reliability threat despite the obvious risks of both
  • Sony claims that users don't care about rootkits because they don't know what a rootkit is
  • The installation provides no way to safely uninstall the software
  • Without obtaining consent from the user Sony's player informs Sony every time it plays a "protected" CD

Sony has told the press that they've made a decloaking patch and uninstaller available to customers, however this still leaves the following problems:

  • There is no way for customers to find the patch from Sony BMG's main web page
  • The patch decloaks in an unsafe manner that can crash Windows, despite my warning to the First 4 Internet developers
  • Access to the uninstaller is gated by two forms and an ActiveX control
  • The uninstaller is locked to a single computer, preventing deployment in a corporation

Consumers and antivirus companies are responding:

  • F-Secure independently identified the rootkit and provides information on its site
  • Computer Associates has labeled the Sony software "spyware"
  • A lawfirm has filed a class action lawsuit on behalf of California consumers against Sony
  • ALCEI-EFI, an Italian digital-rights advocacy group, has formally asked the Italian government to investigate Sony for possible Italian law violations

*********************

The security hole in this software has already led to an attack on infected computers.

Since Mark's revelations, a great many more class action lawsuits have erupted.

Sony has finally acknowledged that these CDs are not customer friendly and have offered an exchange program if you've bought one of these CDs lately. If you have bought one of the Sony's CDs, check here to see if you should and can exchange it.

Amazon.com has notified customers that bought one of Sony's infected CDs that the can return it for a full refund. (You should have received an email already, if the CD you purchased is infected.)

Please pass the word around, so that others don't leave their computers vulnerable.

No comments:

Post a Comment