Jeremy's almost but not quite entirely moribund blog

Thursday, November 03, 2005

Sony's reaction: Not nearly good enough

In response to criticism about its rootkit-installing CD, Sony and First4 Internet (its UK-based subcontractor that actually wrote the malware) have released a patch that will allegedly uninstall the rootkit, so that files, processes, and registry keys starting with $sys$ are no longer hidden from the user. The patch does not uninstall the malware, however--it still spies on executing process and continuously saps system resources, it still interferes with normal operation of the CD-ROM drive, and there's still no way to completely uninstall it without contacting Sony BMG and inviting spam from them.

Sony needs to release full instructions on how to completely uninstall its DRM malware. (An executable will not do, since that would require us to trust that it works, and Sony has clearly betrayed that trust.) If removing that malware means users can no longer listen to CDs, then Sony needs to accept returns with full refunds for all its affected victimscustomers.

I personally will not purchase media from Sony or any of its subsidiaries again until Sony does the following:

  • Acknowledge that its DRM does indeed pose security and stability risks and publicly apologize for it
  • Recall all CDs and DVDs that install DRM solutions that interfere with the normal operation of the computer, including but not limited to the following actions:

    • Hide processes, registry keys, or files from the user or operating system
    • Hook kernel interfaces
    • Install any code of any kind that runs in ring 0, including but not limited to filter drivers
    • Monitor processes that are not its own
    • Constantly consume CPU and/or memory resources
    • "Phone home" in any way, shape, or form
    • Cannot be completely uninstalled through normal means
  • Promise never to ship such DRM solutions again

Good reads on this subject:

When Vendors Install Malware (eWeek)
The Cover-Up Is the Crime (Wired News)
SonyBMG and First4Internet Release Mysterious Software Update (Freedom to Tinker)

UPDATE: Sony's "patch" doesn't uninstall the rootkit after all! It just turns off the $sys$ cloaking. And yet Sony continues to insist their DRM is "not a security risk" and is "not malicious". These statements are blatant lies. As the author of the blog linked above writes,

Anything that alters the underlying functionality of our computer at the kernel level compromises our security. Anything that does it without our knowledge to prevent us from using our computers as we like is malicious.


Post a Comment

<< Home