The mainstream media is finally picking up a story that’s had the geek press abuzz for a week or so; Since about mid-2004 Sony BMG Music Entertainment has been shipping CDs with a certain Digital Rights Management scheme on them. This DRM has been revealed this week to actually be a rootkit.
A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user’s knowledge. (source: http://en.wikipedia.org/wiki/Rootkit)
As per the definition, this rootkit used spyware-like techniques to hide its presence, and didn’t provide any means to uninstall it. If you were smart enough to be able to detect it and remove the rootkit, it would end up breaking the functionality of your operating system. For example, after it was removed, you could find that your CD and DVD drives have gone missing.
It also had some other interesting attributes. Using its “cloaking abilities” a programmer found a way to use it to disable/evade anti-cheating mechanisms in the popular World or Warcraft on-line role playing game. Once people started going over the files with a fine-tooth comb, it was discovered that it appears to contain code from the open source projects LAME and VLC, violating the terms of their licenses.
Due to the outcry, Sony released an uninstaller which could be loaded via the web. However, the uninstaller caused an even bigger security problem than the original rootkit. Once you ran the uninstaller, it stayed around and any web site you visited after that point could download any code it wants down to your computer and execute it.
Renowned security technologist Bruce Schneier wrote Real Story of the Rogue Rootkit for Wired. Schneier starts with a nice summary of what has happened on the security side of things and anti-customer attitude that seems to be coming from Sony. Unlike everyone else who has been screaming just about the security, Schneier takes a look at a more interesting and scary aspect.
The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us.
…
What do you think of your antivirus company, the one that didn’t notice Sony’s rootkit as it infected half a million computers? And this isn’t one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn’t notice? This is exactly the kind of thing we’re paying those companies to detect — especially because the rootkit was phoning home.
…
The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization.
I really suggest you read the whole article. Its a great primer of the disasters that can happen down this way. The think that is lucky for us as computer users (and Sony as a company) is nothing was compromised as a result of this. It could have been much much worse rather than just egg on Sony’s face, think about the infections at the Department of Defense (mentioned in the Schneier article.)
We often hear talk about using DRM in real estate, some of the suggestions are pretty draconian and anti-customer. As people in the real estate industry we need to look at nightmare scenarios like this as an example of what not to do. I’d rather sit back and let the people at the forefront of DRM take the lumps and figure out what works and doesn’t work. This is a single company taking a lump, but if the real estate industry as a whole makes a wrong DRM turn, it could be disastrous for the industry as a whole.
One last thing, in case you’re curious or are afraid you might be infected, a list of CDs that are infected can be found this on this page provided by the Electronic Frontier Foundation (EFF).
I’d like to also give a big word of thanks to BoingBoing for their insanely good coverage of this. I wouldn’t have half the information stated above if they hadn’t linked to it.
