Well, seems like a lot has happened since my last post. Looks like Sony is the latest shining example of corporate asshattery.
Many other sites have covered better than I could ever hope to, but I'll summarize:
To "protect" their "intellectual property" (we call it music around here), Sony BMG chose a digital rights management (DRM) product to prevent people from "stealing" their music. The problem is they included a bit of code in their DRM software which hides itself from the operating system, and by extension, the user. This bit of code is what we call in the IT biz a "rootkit". A rootkit is software that is used by hackers to hide the fact that they have penetrated your system to install whatever nasty tools they use to take control.
While Sony says in the fine print of their license agreement that they will install software to allow you to listen to their music on your PC, nowhere do they state that they are making a low-level, fundamental change in how your PC works. Worse yet, any hacker can now hide code on your PC to take control of it simply by appending "$sys$" to the beginning of the file name so that it disappears from sight.
Sony downplays the dangers of the rootkit and publishes a service pack to remove it - turns out the remover doesn't really work, though.
Very quickly, people began to take advantage of the rootkit, first as a World of Warcraft cheat, then as a means to install trojan code to seize control of a PC.
The
Electronic Frontier Foundation issues an
open letter demanding that Sony recall the CD. They also ask for people who have been infected by the rootkit to
contact them regarding the possibilities of a class action lawsuit.
Word spreads like wildfire through the Internet. Many blogs and tech news sites discuss the details of the story. Word eventually spreads to the traditional press, giving the story wider coverage.
Then, to add insult to injury, it's discovered that Sony may have included open source code in their DRM suite (specifically, portions of the LAME MP3 encoder package) without following the requirements of its license, the LGPL. Apparently Sony feels its OK to violate other peoples' copyrights as long as they are protecting their own.
BoingBoing has a detailed timeline of all the events to date.
It's bad enough that Sony treats their customers like criminals - to have them steal other peoples' software to create a software monster that violates the security of their customers' PCs is simply outrageous.
Sony BMG's global digital business division president Thomas Hesse has been quoted as saying "Most people, I think, don't even know what a rootkit is, so why should they care about it?" This, I feel, is the most damning statement of all. In effect they're saying that "our customers are too dumb to notice that we've hacked their PCs, so we'll do anything we damn well please".
The problem, Sony, is your customers include a pretty clued-in group of individuals who *will* catch you trying to pull stunts like this and scream from the rooftops to make sure the non-technical portion of your customer base finds out.
Related Links:Initial posting on Sysinternals regarding rootkitSlashdot discussionGoogle search for "Sony rootkit"
