As most readers are likely to have seen by now, a Windows developer recently
that a rootkit on his system had been installed by the DRM
("digital restrictions management," to use Richard Stallman's apt term)
code from a copy-protected CD. This CD (Van Zant's appropriately named
"Get Right With The Man") was issued by SonyBMG. It happily installed
software on the system, overrode a couple of system calls, and proceeded to
hide itself from casual view. This is not the sort of experience that CD
purchases are normally looking for. SonyBMG should - and will - take a fair
amount of grief from this bit of silliness.
Just how silly is just becoming clear: consider this
weblog entry which suggests that SonyBMG's DRM activities don't really
even have anything to do with copy protection. Instead, SonyBMG is simply
trying to make life more difficult for iPod users as a way of trying to
muscle in on Apple's turf. It is increasingly clear that DRM is being used
as a way of excluding competition, rather than for its stated purpose.
With luck, some politicians might begin to understand this, and the tone of
the debate in various national capitols may change a bit.
Meanwhile, it is also clear that DRM is increasingly a security issue. We
have music discs which install malware, the entertainment industry trying
to poison bittorrent streams, and legislators who would like to legalize
overt attacks against those who are deemed to be pirates. There will
certainly be many computers - including those in companies - which have
been infected with the DRM code shipped by SonyBMG, and the full
capabilities of that code remain unclear. The next security compromise
carried out in the name of piracy prevention may be even worse.
There are some obvious conclusions to be drawn from this episode. The most
obvious of all being that automatically running code from an arbitrary CD
is a stunningly bad idea. Beyond that, avoiding Windows helps, for now.
Even Macintosh systems are unaffected by SonyBMG's DRM. And it has been
made clear that security threats can come from unexpected directions.
SonyBMG is not a bunch of script kiddies in a basement somewhere; it's a
high-profile corporation which, one might expect, would not be in the
business of attacking its customers' computers. This is unlikely to be the
last episode of this kind we will see.
to post comments)