Tuesday, November 22, 2005

Sony Follow-up

This post is an addendum to my earlier post regarding the way that Sony's DRM technology (i.e., the stuff that tries to keep you from making copies) installs a rootkit, a very dangerous piece of software. First, this article points out that security researcher Dan Kaminsky has found the "probable existence of at least one compromised machine in roughly 568,200 networks worldwide." Note that's the number of networks, not computers. There could be multiple computers on each network infected. Oh, and that was as of November 15th. Or you can look here for a visual representation of the areas infected.

As if the rootkit wasn't bad enough, the patch is worse than the original problem. To get the patch, you visit a Sony website. The site installs a program called CodeSupport on your computer. CodeSupport is then used to remove the rootkit. Sound good? Well, not according to Princeton CS professor Edward Felten:

CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any Web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site.

CodeSupport does no verification of the source. Any website can make a request to CodeSupport to install programs onto your computer without your knowledge or consent. Um, Houston, we have a problem. This is supposed to be a fix?

And it gets even more fun for Sony and First4Internet (the company that wrote the original DRM software licensed by Sony). It appears this software uses copyrighted code. The code in question is a program called LAME and demux/mp4/drms.c. They are licensed under the LGPL and GPL, respectively. The GPL is a licensing scheme that requires (among other things) that the original code authors be given credit. No such reference exists in XCP (the DRM software). While the GPL has never been tested in a court of law, Sony and/or First4Internet could be looking at copyright infringement charges. We'll have to wait and see about that...

And, to make it oh so wonderful for Sony, the Texas attorney general has filed suit with them for all of this nonsense. Texas is seeking $100,000 per violation. The RIAA (which represents recording labels and companies like Sony) like to try to sue people for some egregious amount (more than $1000) per song illegally downloaded. Given the relative damage between a single illegal download and the installation of a rootkit, I say, "Go Texas!" A couple thousand computers infected could produce a fine in the hundreds of millions of dollars. I have no pity for them at all.

This last note is a little unrelated, but not entirely. When companies like Sony pull some sort of crap like this, they are not just hurting themselves. Sony, after all, is a large, respected name. If you can't trust them, who can you trust? Perhaps that helps to explain why less than 1 in 5 people trust websites to handle personal information properly. You don't say.

Update: I meant to include this link in my post, as well. If you thought the rootkit and the patch were bad enough, try checking out the EULA (i.e., the terms that you supposedly agree to whenever you install software). A couple of the gems:

  • If you file for bankruptcy, you must delete all digital copies of the CD.

  • If the CD is stolen, you must delete any copies you have on your computer.

  • You cannot hold Sony-BMG liable for more than $5, no matter what happens.

Man, I can't stop laughing over here...


Post a Comment

<< Home