Just how little the company has learned can be heard on this NPR interview with SonyBMG manager Thomas Hesse. When asked about the rootkit, Mr. Hesse responded:
As the class-action suits begin to pile up, and as even Microsoft feels the need to create a Sonyware removal tool, maybe Mr. Hesse will eventually realize that people (who are rapidly learning what a rootkit is) do care.
SonyBMG has claimed that there is no "phone home" capability in this software. Unfortunately for the company, connections back home are relatively easy to detect. Some investigation quickly showed that SonyBMG's software does indeed make a connection back home when the CD is played. Nowhere has SonyBMG alerted its users to this behavior and the associated privacy problems.
For additional amusement, see the EULA which comes with the rootkit software.
SonyBMG has made an uninstaller available for those few users which are capable of understanding what a rootkit does and being upset by it. It turns out, however, that this uninstaller is worse than the original rootkit. Running the uninstaller opens a number of holes - which can be exploited via web pages - in the target system. So victims of SonyBMG's rootkit who care about the security of their systems are in a bind; there is currently no straightforward way to get that software off the system without compromising the system even further.
Yet another ironic twist is the possibility that Sony's rootkit includes some LGPL-licensed code, but does not comply with the license. If this were true (and there are some doubts on this point, though they seem to be getting smaller), the hypocrisy would be complete.
In response to all this, SonyBMG announced that it would "temporarily" stop making CDs with XCP on them. There was no apology, much less an offer to compensate people whose systems have been compromised. Neither was there a recall of the (apparently millions) of malware-infected discs which were still in the retail pipeline. Only on November 15 did SonyBMG finally give in, recall the outstanding XCP-infected CDs, and offer to replace discs in the hands of its customers. Said users are still waiting for the compensation offer, however.
It is also worth noting that Sony is still shipping CDs with Sunncomm's MediaMax DRM code on them. MediaMax may not be quite as bad as XCP, but it is still hostile software which, among other things, phones home.
In the end, SonyBMG appears to have been slapped down fairly hard for its actions. It would be a mistake to assume that this sort of incident will not happen again, however. The entertainment industry has managed to create such a strawman enemy out of "pirates" that any sort of response appears to be justified. In a world where these folks can dictate the design of radios and televisions, attempt to legalize online attacks against "pirates," and file lawsuits against children, the addition of malware to a music disc seems like a small thing. Until such a time as this industry stops seeing its own customers as enemies, it will fail to show those customers any respect.
Linux users should not expect much respect either. Efforts like the broadcast flag already threaten to make the creation of free television and radio receivers impossible. Beyond any doubt, the music industry looks forward to the day when even playing a song on a free system will be disallowed. As Linux users, we are not much impressed by the idea that, in order to play a music track, we must accept the installation of hostile software onto our systems. Unfortunately, we may yet see a day when that is the only choice we have.
Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds