Corporate citizenship, or lack thereof

Mark Russinovich has analyzed the SonyBMG DRM uninstaller and concludes, "Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.".

In his Freedom to Tinker blog, Ed Felten summarizes why he now considers SonyBMG's DRM to be spyware:

In all the discussion of the SonyBMG software, I’ve been avoiding the S-word. But now it’s clear that this software crosses the line. It’s spyware.

Let’s review the evidence:

* The software comes with a EULA which, at the very least, misleads users about what the software does.
* The software interferes with the efforts of ordinary users and programs, including virus checkers and other security software, to identify it.
* Without telling the user or obtaining consent, the software sends information to the vendor about the user’s activities.
* No uninstaller is provided with the software, or even on the vendor’s website, despite indications to the contrary in the EULA.
* The vendor has an uninstaller but refuses to make it available except to individual users who jump through a long series of hoops.
* The vendor makes misleading statements to the press about the software.

This is the kind of behavior we’ve come to expect from spyware vendors. Experience teaches that it’s typical of small DRM companies too. But why isn’t SonyBMG backing away from this? Doesn’t SonyBMG aspire to at least a modest level of corporate citizenship?

XP Automatic Updates annoyances

Two aspects of Windows XP Automatic Updates drive me batty.

One is the popup box that harasses you every 10 minutes after an update has been installed until you reboot.

The other is the fact that Windows will kill all processes and reboot the machine when doing a scheduled update overnight. Several times after I thought I had shut down my computer for the night, I've returned in the morning to find it was still running, with an instance of Notepad prompting me to save my changes to a scratch document. I say "no", and then the computer shuts down, and I have to wait for it to shut down and start up before I can get to work. While on the other hand, if a Windows update is pending, Microsoft couldn't care less about your data or any running processes and will just kill them all at a whim so it can patch itself against the latest security overrun and show the media that Microsoft is Serious about Security.

Fortunately, both these annoyances can be solved with a registry hack:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"RebootRelaunchTimeoutEnabled"=dword:00000000
"NoAutoRebootWithLoggedOnUsers"=dword:00000001

EMI: We don't use rootkits

Record company The EMI Group has distanced themselves from the Sony DRM controversy by stating that they don't use rootkits.

"The content-protection software that we're using can be easily uninstalled with a standard uninstaller that comes on the disc. EMI is not using any software that hides traces of the program. There is no 'rootkit' behavior, and there are no processes left running in the background," said an EMI spokesman in a statement.

I don't blame EMI for capitalizing on Sony's mistake, but EMI isn't much better, since they still make you install third-party "content protection" software to use the CD in a computer. Perhaps it's less virulent than Sony's, but it still serves no purpose other than to reduce the CD's usefulness, punishing paying customers while doing nothing to stop piracy.

Per the Red Book specification, computers can read audio CDs. Any effort to make a CD unreadable in a computer must of necessity cripple one or the other. I'm not interested in buying a crippled CD that I can't use how I want, and I'm certainly not interested in paying a record company to compromise my PC with malicious software.

The Malware Company Responds

First 4 Internet, the UK-based company behind Sony BMG's malicious DRM, responded to Mark Russinovich's blog entry, calling his assertion that their rootkit unloader can crash the system "pure conjecture". Mr. Russinovich has posted a scathing reply that includes a screenshot of a BSOD caused by F4I's rootkit driver. He also calls them out on their refusal to acknowledge the security and stability risks posed by their software, and he criticizes them for acting like an adware company and making it extraordinarily difficult to uninstall.

Mr. Russinovich concludes:

Instead of admitting fault for installing a rootkit and installing it without proper disclosure, both Sony and First 4 Internet claim innocence. By not coming clean they are making clear to any potential customers that they are a not only technically incompetent, but also dishonest.

Read the full article.

Sony's reaction: Not nearly good enough

In response to criticism about its rootkit-installing CD, Sony and First4 Internet (its UK-based subcontractor that actually wrote the malware) have released a patch that will allegedly uninstall the rootkit, so that files, processes, and registry keys starting with $sys$ are no longer hidden from the user. The patch does not uninstall the malware, however--it still spies on executing process and continuously saps system resources, it still interferes with normal operation of the CD-ROM drive, and there's still no way to completely uninstall it without contacting Sony BMG and inviting spam from them.

Sony needs to release full instructions on how to completely uninstall its DRM malware. (An executable will not do, since that would require us to trust that it works, and Sony has clearly betrayed that trust.) If removing that malware means users can no longer listen to CDs, then Sony needs to accept returns with full refunds for all its affected victimscustomers.

I personally will not purchase media from Sony or any of its subsidiaries again until Sony does the following:

• Acknowledge that its DRM does indeed pose security and stability risks and publicly apologize for it
  
• Recall all CDs and DVDs that install DRM solutions that interfere with the normal operation of the computer, including but not limited to the following actions:
  
  
  
  • Hide processes, registry keys, or files from the user or operating system
    
  • Hook kernel interfaces
    
  • Install any code of any kind that runs in ring 0, including but not limited to filter drivers
    
  • Monitor processes that are not its own
    
  • Constantly consume CPU and/or memory resources
    
  • "Phone home" in any way, shape, or form
    
  • Cannot be completely uninstalled through normal means
• Promise never to ship such DRM solutions again

Good reads on this subject:

When Vendors Install Malware (eWeek)
The Cover-Up Is the Crime (Wired News)
SonyBMG and First4Internet Release Mysterious Software Update (Freedom to Tinker)

UPDATE: Sony's "patch" doesn't uninstall the rootkit after all! It just turns off the $sys$ cloaking. And yet Sony continues to insist their DRM is "not a security risk" and is "not malicious". These statements are blatant lies. As the author of the blog linked above writes,

Anything that alters the underlying functionality of our computer at the kernel level compromises our security. Anything that does it without our knowledge to prevent us from using our computers as we like is malicious.

Spyware vs. Spyware

It's been known for awhile that Blizzard Entertainment uses spyware ("Warden") to ban cheaters from World of Warcraft. And yesterday I wrote about how Sony install spyware to prevent copying CDs.

Well, it was bound to happen. People are now using Sony's rootkit to hide their cheat programs from Blizzard's Warden. I love it!

Sony music CD installs malware

I've always thought copy protection on music CDs was counterproductive. It makes no sense if you think about it--the labels hope to increase CD sales by producing broken CDs that won't play in your computer or iPod.

Well, in the music industry's latest efforts to prevent people from buying CDs, Sony sells CDs that install malware on your computer. In this article, Windows guru Mark Russinovich describes a rootkit he found on his computer and eventually traced to software installed by a CD sold by Sony BMG and ironically entitled "Get Right with the Man". He describes what this Sony Spyware does--queries all process on your computer several times per second, consuming 1-2% of your CPU even when you're not playing a CD--and how it uses techniques commonly associated with malware to hide itself from the user--as well as antivirus software.

Way to reward your customers for being honest, Sony. A Slashdot post puts it eloquently:

The people being hurt by this DRM software are people who have already communicated their intent to do the right thing by purchasing the CD. Sony has just guaranteed that a lot of people will never make that mistake again.

Welcome to a Brave New World: People who pay for their music get viruses, while people who download it at no cost from illegal sources get clean MP3s that they can freely copy and use on whatever devices they own.

So what happens next?

Will the media pick up on this? Will antivirus and antispyware programs detect and remove Sony's rootkit? Or will they all turn a blind eye to it for fear of being sued under the DMCA?

The best thing for Sony to do at this point would be to apologize publicly and issue a recall on all malware-infested CDs. Otherwise they'll never live this down.