Check out Bruce Schneier’s excellent story in Wired about Sony’s Rootkit/DRM debacle.
The controversy relates to Sony’s desire to prevent customers from illegally copying music CDs.
Here’s what happened: if you bought a Sony music CD and tried to play it on your Windows PC, Sony’s CD would covertly install a batch of particularly troublesome software. In addition to preventing customers from making too many copies of the music they purchased, the software installed a “rootkit“, which (1) hid the “copy-protection” technology from normal view (also making it invisible to anti-virus software) and (2) also secretly communicated back to Sony when its CDs were placed in a computer. Such rootkit software is notoriously vulnerable to exploits; this means that, potentially, hackers could gain access to each infected PC and its owner would never know. To top it off, according to the story, removing the software would damage Microsoft Windows, rendering the CD player unusable.
It’s unclear how many computers were infected, but it’s probably more than 500,000. Take a look at this: each red dot represents a likely infected PC (the image was created by Dan Kaminski, who has done fine work in exposing the scope of the problem).
Here’s a list of all CDs with the problematic software.
And here’s Sony’s official response. This is obviously outrageous, and it’s hard to believe that Sony would insinuate that this is a third-party vendor’s fault. Clearly, much more needs to be said (and done)–and not just because Sony may have exposed itself to legal liability.
Frankly, I think that Sony should be held responsible for the epidemic. Had the company broadly announced that they were going to install a trojan horse that could not be detected by antivirus software to protect their rights, it is obvious that they would have lost sales. Sony knew that fact and deliberately jeopardized the security of millions of people in an attempt to maximize their own profit. In my opinion, they should be subject to the same corpus of computer law as other hackers. If I distributed a game that secretly installed a rootkit that could not be detected by antivirus software, do you think that the government would be so lenient with me? I doubt it. On the bright side, I think it is fairly safe to say that other large media conglomerates will think twice before pulling something like that again.
Left by Hooman Radfar on November 18th, 2005