The Sony Rootkit Saga Continues
I’m just not able to keep up with all the twists and turns in this story. (My previous posts are here, here, here, and here, but a way better summary of the events is on BoingBoing: here, here, and here. Actually, you should just read every post on the topic in Freedom to Tinker. This is also worth reading.)
Many readers pointed out to me that the DMCA is one of the reasons antivirus companies aren’t able to disable invasive copy-protection systems like Sony’s rootkit: it may very well be illegal for them to do so. (Adam Shostack made this point.)
Here are two posts about the rootkit before Russinovich posted about it.
And it turns out you can easily defeat the rootkit:
With a small bit of tape on the outer edge of the CD, the PC then treats the disc as an ordinary single-session music CD and the commonly used music “rip” programs continue to work as usual.
(Original here.)
The fallout from this has been simply amazing. I’ve heard from many sources that the anti-copy-protection forces in Sony and other companies have newly found power, and that copy-protection has been set back years. Let’s hope that the entertainment industry realizes that digital copy protection is a losing game here, and starts trying to make money by embracing the characteristics of digital technology instead of fighting against them. I’ve written about that here and here (both from 2001).
Even Foxtrot has a cartoon on the topic.
I think I’m done here. Others are covering this much more extensively than I am. Unless there’s a new twist that I simply have to comment on….
EDITED TO ADD (11/21): The EFF is suing Sony. (The page is a good summary of the whole saga.)
EDITED TO ADD (11/22): Here’s a great idea; Sony can use a feature of the rootkit to inform infected users that they’re infected.
As it turns out, there’s a clear solution: A self-updating messaging system already built into Sony’s XCP player. Every time a user plays a XCP-affected CD, the XCP player checks in with Sony’s server. As Russinovich explained, usually Sony’s server sends back a null response. But with small adjustments on Sony’s end—just changing the output of a single script on a Sony web server—the XCP player can automatically inform users of the software improperly installed on their hard drives, and of their resulting rights and choices.
This is so obviously the right thing to do. My guess is that it’ll never happen.
Texas is suing Sony. According to the official statement:
The suit is also the first filed under the state’s spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems.
And here’s something I didn’t know: the rootkit consumes 1% – 2% of CPU time, whether or not you’re playing a Sony CD. You’d think there would be a “theft of services” lawsuit in there somewhere.
EDITED TO ADD (11/30): Business Week has a good article on the topic.