For most companies, simply being caught installing rootkit-like software
onto the systems of customers who simply thought they were playing a music
CD would be bad enough. Certainly, since the Halloween disclosure that
some SonyBMG discs install a rootkit (called "XCP") has been a source of grief for that
company, and rightly so. It takes a truly expansive interpretation of the
notion of "intellectual property rights" to believe that such rights allow
the installation of malware on other peoples' computers. As this event -
and those which have come after - have shown, however, SonyBMG appears to
have learned little from the whole episode.
Just how little the company has learned can be heard on this
NPR interview with SonyBMG manager Thomas Hesse. When asked about the
rootkit, Mr. Hesse responded:
Most people, I think, don't even know what a rootkit is, so why
should they care about it?
As the class-action suits begin to pile up, and as even Microsoft feels the
need to create a Sonyware removal tool, maybe Mr. Hesse will eventually
realize that people (who are rapidly learning what a rootkit is) do care.
SonyBMG has claimed that there is no "phone home" capability in this
software. Unfortunately for the company, connections back home are
relatively easy to detect. Some investigation
quickly showed that SonyBMG's software does indeed make a connection back
home when the CD is played. Nowhere has SonyBMG alerted its users to this
behavior and the associated privacy problems.
For additional amusement, see the EULA which
comes with the rootkit software.
SonyBMG has made an uninstaller available for those few users which are
capable of understanding what a rootkit does and being upset by it. It
turns out, however, that this uninstaller is worse than the original
rootkit. Running the uninstaller opens a number of holes - which can
be exploited via web pages - in the target system. So victims of SonyBMG's
rootkit who care about the security of their systems are in a bind; there
is currently no straightforward way to get that software off the system
without compromising the system even further.
Yet another ironic twist is the possibility
that Sony's rootkit includes some LGPL-licensed code, but does not comply
with the license. If this were true (and there are some doubts
on this point, though they seem to be getting
smaller), the hypocrisy would be complete.
In response to all this, SonyBMG announced that it would "temporarily" stop
making CDs with XCP on them. There was no apology, much less an offer to
compensate people whose systems have been compromised. Neither was there a
recall of the (apparently millions) of malware-infected discs which were
still in the retail pipeline. Only on November 15 did SonyBMG finally
give in, recall the outstanding XCP-infected CDs, and offer to replace
discs in the hands of its customers. Said users are still waiting for the
compensation offer, however.
It is also worth noting that Sony is still shipping CDs with
Sunncomm's MediaMax DRM code on them. MediaMax may not be quite as bad
as XCP, but it is still hostile software which, among other things, phones
In the end, SonyBMG appears to have been slapped down fairly hard for its
actions. It would be a mistake to assume that this sort of incident will
not happen again, however. The entertainment industry has managed to
create such a strawman enemy out of "pirates" that any sort of response
appears to be justified. In a world where these folks can dictate the
design of radios and televisions, attempt to legalize online attacks against
"pirates," and file lawsuits against children, the addition of malware to a
music disc seems like a small thing. Until such a time as this industry
stops seeing its own customers as enemies, it will fail to show those
customers any respect.
Linux users should not expect much respect either. Efforts like the
broadcast flag already threaten to make the creation of free television and
radio receivers impossible. Beyond any doubt, the music industry looks
forward to the day when even playing a song on a free system will be
disallowed. As Linux users, we are not much impressed by the idea that, in
order to play a music track, we must accept the installation of hostile
software onto our systems. Unfortunately, we may yet see a day when that
is the only choice we have.
(See also: the EFF's open
letter to SonyBMG and the Sony
timeline on BoingBoing).
to post comments)