LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Announcements page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

An analysis of the SonyBMG rootkit disaster

[Posted December 18, 2007 by corbet]

Deirdre K. Mulligan and Aaron K. Perzanowski have posted a 76-page paper [PDF] on the causes of the SonyBMG rootkit fiasco. "This Article aims to identify the market, technological, and legal factors that appear to have led a presumably rational actor toward a strategy that in retrospect appears obviously and fundamentally misguided." There's also a couple of detailed suggestions on (U.S.) legal changes which could help make such episodes less likely in the future.
(Log in to post comments)

An analysis of the SonyBMG rootkit disaster

Posted Dec 18, 2007 17:21 UTC (Tue) by pr1268 (subscriber, #24648) [Link]

Here's a related paper from Princeton University (PDF): http://itpolicy.princeton.edu/pub/sonydrm-ext.pdf

Like the paper our editor has linked, the Princeton paper also examines the technical, legal, and commercial details of the DRM technology. Not having actually Mulligan's and Perzanowski's paper (yet), I can already tell it reaches the same conclusions as the Princeton paper.

Thank you, Jon, for posting this.

Typo correction

Posted Dec 18, 2007 17:34 UTC (Tue) by pr1268 (subscriber, #24648) [Link]

Correction: Not having actually read Mulligan's and Perzanowski's paper...

An analysis of the SonyBMG rootkit disaster

Posted Dec 18, 2007 19:06 UTC (Tue) by clugstj (subscriber, #4020) [Link] 

Well, having just read it, I must say that it is a very reasoned analysis of the "disaster".

An analysis of the SonyBMG rootkit disaster

Posted Dec 18, 2007 19:45 UTC (Tue) by dmarti (subscriber, #11625) [Link]

Good paper.

"But unlike the collective costs to security imposed by the rootkit incident, the reduced viability of DRM in the consumer music market may well repre- sent a positive externality, rather than a negative one. To the extent the constraints and risk DRM imposed on consumers outweighed any benefits they conferred on copyright owners and the public, the reduction of DRM in the consumer marketplace could increase overall utility."

An analysis of the SonyBMG rootkit disaster

Posted Dec 18, 2007 19:59 UTC (Tue) by pr1268 (subscriber, #24648) [Link]

Scare quotes or not, I think "disaster" is an appropriate word to describe Sony's music CD rootkit strategy. Both papers show ample evidence that Sony's DRM techniques backfired in all possible ways.

An analysis of the SonyBMG rootkit disaster

Posted Dec 19, 2007 1:40 UTC (Wed) by hanwen (subscriber, #4329) [Link] 

why the † sign? Did she die or is this a C&P error?

An analysis of the SonyBMG rootkit disaster

Posted Dec 19, 2007 2:04 UTC (Wed) by pr1268 (subscriber, #24648) [Link]

I assume your question refers to the tile page of the PDF. I'm pretty sure that footnotes in the title/author section of an article are not usually numbered. I don't think this has anything to do with death or crucifixion.

An analysis of the SonyBMG rootkit disaster

Posted Dec 19, 2007 10:10 UTC (Wed) by anselm (subscriber, #2796) [Link]

The symbol in question is called, in typographer circles, a »dagger«, and does not have anything to do with death or Christianity. It's what you use for footnotes when you don't number them. Lower down on the title page there's a footnote that gives the institute that Professor Mulligan is affiliated to, and the dagger behind her name points to that footnote.

An analysis of the SonyBMG rootkit disaster

Posted Dec 19, 2007 11:53 UTC (Wed) by etienne_lorrain@yahoo.fr (guest, #38022) [Link] 

 When reading that report, I get the impression that "it is something of the past".
 But a music CD has a lifetime of easily 20 years, and probably a lot of countries have still
laws which forbid to disinstall the rootkit.
 Is there somewhere some current statistics about how many "Sony BMG phone home" connections
are done per day?

 Another completely different question, considering that IANAL, is how much I own my PC?
 More precisely, if "they" claim the right to install and remove anything they want from my PC
without informing me, who is *legally* responsible of the content of the hard drive - and its
consequences?

Few countries approve that

Posted Dec 19, 2007 16:22 UTC (Wed) by man_ls (subscriber, #15091) [Link]

But a music CD has a lifetime of easily 20 years, and probably a lot of countries have still laws which forbid to disinstall the rootkit.
I doubt there are laws like that in many countries. The US is the only place where such draconian places could be tolerated, followed closely by western European countries.

An analysis of the SonyBMG rootkit disaster

Posted Dec 19, 2007 18:27 UTC (Wed) by copsewood (subscriber, #199) [Link] 

In the UK, if anyone had this software installed on their PC without their informed consent,
the rootkit would have been a modification unauthorised by the system owner. This would put
those who caused this to occur in breach of the UK Computer Misuse act (unauthorised
modifications). If someone in this position had complained, the police would have been obliged
to investigate. I don't know whether any such complaint was made, but I for one wouldn't have
minded seeing one or 2 company directors doing jail time for this and made an example of. This
might have discouraged similar actions and made people who cause software to be installed in
the UK for commercial reasons think twice.

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds