Sony’s DRM Causes Windows Security Risk
Editor’s Note: We originally published this story on Wednesday, Nov. 2. But since the continues to grow and we have added an unusually high number of updates, we are publishing a new entry that includes updated information.
Additionally, given Sony’s slow, ineffective response to distributing harmful spyware, CopyCense supports Wired News’ call for a wholesale boycott of all Sony’s products and intellectual property. We recommend that the boycott last through Dec. 31, 2005, thereby economically penalizing Sony’s sales during the critically important holiday sales season.
“Mark Russinovich was doing a routine test this week of computer security software he’d co-written, when he made a surprising discovery: Something new was hiding itself deep inside his PC’s guts.
“It took Russinovich, an experienced programmer who has written a book on the Windows operating system for Microsoft, some time to track down exactly what was happening, but he ultimately traced it to code left behind by a recent CD he’d bought and played on his computer.”
John Borland. Sony CD Protection Sparks Security Concerns. News.com. Nov. 1, 2005.
Mark’s Sysinternals Blog. Sony, Rootkits and Digital Rights Management Gone Too Far. Oct. 31, 2005.
CopyCense. Sony BMG Settles DRM Lawsuit. Jan. 4, 2006.
Michael Desmond. Security Industry Rocked by Sony Rootkit Fiasco. Redmond. January 2006. (“The Sony BMG rootkit fiasco could be the worst retail marketing meltdown since the launch of New Coke. While Sony has been rightly villified for its irresponsible actions, the real question is, why did it take so long for security vendors to detect and remediate this serious threat?”)
Freedom to Tinker. Sony CDs and the Computer Fraud and Abuse Act. Dec. 21, 2005.
Reuters. New Spyware Claim Against Sony BMG. News.com. Dec. 21, 2005.
EFF Deep Links. Summary of Claims Against Sony-BMG. Dec. 18, 2005.
John Borland. Sony Fixes Security Hole in CDs, Again. News.com. Dec. 8, 2005. (“Sony announced on Tuesday that a new risk had been found with a batch of 27 of its compact discs, which automatically install antipiracy software on hard drives when put into a computer’s disc drive. Along with the Electronic Frontier Foundation, a digital rights group, the record label released a patch aimed at fixing that flaw. However, Princeton computer science professor Ed Felten wrote in his blog on Wednesday that the patch itself could open computers to attack by hackers.”)
Freedom to Tinker. MediaMax Bug Found; Patch Issued; Patch Suffers from Same Bug. Dec. 7, 2005.
Olga Kharif. For Sony, a Pain in the Image. BusinessWeek Online. Dec. 2, 2005.
Arik Hesseldahl. Spitzer Gets on Sony BMG’s Case. BusinessWeek Online. Nov. 29, 2005.
Steve Hamm. Sony BMG’s Costly Silence. BusinessWeek Online. Nov. 29, 2005.
Steven Levy. Sony Gets Caught With Slipped Discs. Newsweek. Nov. 28, 2005.
Tom Zeller Jr. Sony BMG Sued Over CD’s With Anti-Piracy Software. The New York Times. Nov. 22, 2005.
The Gripe Line Web Log. Sony’s DRM Profile. Nov. 22, 2005. (“What was Sony’s real motive for what many consider behavior that is awfully close to a criminal act? To answer that question I think we’re going to need to borrow a page from the criminal profilers by tracking the company’s behavior. Fortunately, we have more than one crime scene to help us with our profile, because it so happens that Sony has been employing more than one form of spywarish DRM in recent months.”)
BenEdelman.org. Cleaning Up Sony’s Rootkit Mess. November 21, 2005.
Electronic Frontier Foundation. EFF Files Class Action Lawsuit Against Sony BMG. (Press release) Nov. 21, 2005.
Michael Geist. Sony’s Long-Term Rootkit CD Woes. BBC News. Nov. 21, 2005. (“Stewart Baker, the US Department of Homeland Security’s assistant secretary of policy, admonished the music industry, reminding them that ‘it’s very important to remember that it’s your intellectual property – it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.'”)
John Leyden. Gaffer Tape Defeats Sony DRM Rootkit. The Register. Nov. 21, 2005.
John Borland. Who Has the Right to Control Your PC? News.com. Nov. 21, 2005.
Joris Evers. What Makes A Rootkit? News.com. Nov. 21, 2005.
Paul F. Roberts. Amazon.com Offers Refund for ‘Rootkit’ DRM-Carrying Sony CDs. PCMag.com. Nov. 18, 2005.
Associated Press. Copy Protection Still a Work in Progress. Yahoo! News. Nov. 18, 2005.
Gregg Keizer. Sony Rootkits: A Sign Of Security Industry Failure? InformationWeek. Nov. 18, 2005. (“[For] at least for seven months, Sony BMG Music CD buyers have been installing rootkits on their PCs. Why then did no security software vendor detect a problem and alert customers?” asked an analyst.)
Martin Reynolds and Mike McGuire. Sony BMG DRM a Public-Relations and Technology Failure. Gartner. Nov. 18, 2005. (.pdf, 36.2 KB)
Andrew Orlowski. Sony’s CD Rootkit Infringes DVD Jon’s Copyright. The Register. Nov. 18, 2005.
Andrew Kantor. Sony: The Rootkit of All Evil? USA Today. Nov. 17, 2005. (“Thomas Hesse, president of Sony BMG’s global digital business said, ‘Most people I think don’t even know what a rootkit is, so why should they care about it?'”)
BBC News. Sony to Recall Copy-Protected CDs. Nov. 16, 2005.
Freedom to Tinker. Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs. Nov. 15, 2005.
Dan Goodin. Boycott Sony. Wired News. Nov. 14, 2005.
Electronic Frontier Foundation. An Open Letter to Sony-BMG. No date.
Jefferson Graham. Firestorm Rages Over Lockdown on Digital Music. USA Today. Nov. 13, 2005. (“New York University sophomores Inga Chernyak and Diana Rosenthal took part in a demonstration near campus the other day. It had nothing to do with the Iraq war, a political election or any of the other hot-button issues students normally want to protest. Instead, the pair and about 20 other NYU students were out to rally consumers against what Chernyak calls a dark force that has invaded her tech life: digital rights management.”)
Joris Evers. Microsoft Will Wipe Out Sony’s ‘Rootkit’. News.com. Nov. 13, 2005.
Spyware Confidential. Sony Stops DRM CDs – Temporarily. Nov. 11, 2005.
Reuters. Sony BMG Pulls CD Software. eWeek. Nov. 11, 2005.
Joris Evers. Sony Halts Production of ‘Rootkit’ CDs. News.com. Nov. 11, 2005.
John Borland. FAQ: Sony’s ‘Rootkit’ CDs. News.com. Nov. 11, 2005.
Ingrid Marson. Sony Faces Multiple Lawsuits Over DRM Rootkit. ZDNet UK. Nov. 10, 2005.
Jay Wrolstad. Hackers Exploit Secret Copy Protections Found on Sony CDs. CIO Today. Nov. 10, 2005.
InformationWeek Blog. At Sony, The Customer Is Captive. Nov. 10, 2005.
The Gripe Line Web Log by Ed Foster. EULAs and DRM Make Ugly Music Together. InfoWorld. Nov. 10, 2005. (“It’s important to keep in mind, [Fred von Lohmann] points out, that the music is sold, not licensed. … But if you want to play the CD on your computer, under the Sony EULA all those rights are ‘licensed’ away.”)
CD Freaks. Sony Faces Californian Class-Action Suit & Likely a 2nd U.S. Suit. Nov. 10, 2005.
EFF Deep Links. Now the Legalese Rootkit: Sony-BMG’s EULA. Nov. 9, 2005.
EFF Deep Links. Are You Infected by Sony-BMG’s Rootkit? Nov. 9, 2005. (List of SonyBMG CDs suspected of having the rootkit problem.)
Declan McCullagh. Perspective: Why They Say Spyware Is Good For You. News.com. Nov. 7, 2005. (“It’s a wacky result when both Sony and its hapless customers could be embroiled in legal hot water at the same time.”)
Mark’s Sysinternals Blog. Sony’s Rootkit: First 4 Internet Responds. Nov 6, 2005.
Molly Wood. DRM This, Sony! CNET.com. Nov. 3, 2005. (“So, let’s make this a bit more explicit. You buy a CD. You put the CD into your PC in order to enjoy your music. Sony grabs this opportunity to sneak into your house like a virus and set up camp, and it leaves the backdoor open so that Sony or any other enterprising intruder can follow and have the run of the place. If you try to kick Sony out, it trashes the place.”)
Freedom to Tinker. SonyBMG and First4Internet Release Mysterious Software Update. Nov. 3, 2005. (Princeton professor Edward W. Felten writes, “SonyBMG and First4Internet … have taken their first baby steps toward addressing the problem. But they still have a long way to go; and they might even have made the situation worse. The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function — they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.”)
Eric Goldman. Sony, DRM and Trespass to Chattels. Nov. 2, 2005. (“Sony’s software was installed based on a EULA that contained disclosures about the software. Though we may doubt the efficacy of disclosures in the EULA (a point I’ll discuss more below), this was not a surreptitious installation.”)
Wired Editorial Staff. The Cover-Up Is the Crime. Wired News. Nov. 2, 2005. (“By deliberately corrupting the most basic functionality of their customers’ computers, Sony broke the rules of fair play and crossed a bright line separating legitimate software from computer trespass. Their actions may be civilly actionable.”)
John Borland. Sony to Patch Copy-Protected CD. News.com. Nov. 2, 2005.
Slashdot. Sony Rootkit CD Providers. Nov. 1, 2005.
Robert Vamosi. Security Watch: Root Kit 101. CNET Reviews. Oct. 21, 2005.
CopyCense™: K. Matthew Dames on the intersection of business, law and technology. A business venture of Seso Digital LLC.