Schneier on Sony’s rootkit DRM

Bruce Schneier’s latest article for Wired is all about Sony’s hyperevil rootkit DRM debacle. It includes a comprehensive timeline, as well as Bruce’s efforts to get to the real story in the whole saga. Bruce says, "It’s a David and Goliath story of the tech blogs defeating a mega-corporation."

It’s a tale of extreme hubris. Sony rolled out this incredibly invasive
copy-protection scheme without ever publicly discussing its details,
confident that its profits were worth modifying its customers’
computers. When its actions were first discovered, Sony offered a "fix" that didn’t remove the rootkit, just the cloaking.

Sony claimed the rootkit didn’t phone home when it did. On Nov. 4,
Thomas Hesse, Sony BMG’s president of global digital business,
demonstrated the company’s disdain for its customers when he said, "Most people don’t even know what a rootkit is, so why should they care about it?" in an NPR interview. Even Sony’s apology
only admits that its rootkit "includes a feature that may make a user’s
computer susceptible to a virus written specifically to target the

However, imperious corporate behavior is not the real story either.

This drama is also about incompetence. Sony’s latest rootkit-removal tool actually leaves a gaping vulnerability. And Sony’s rootkit — designed to stop copyright infringement — itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library’s license agreement. But even that is not the real story.

It’s an epic of class-action lawsuits in California and elsewhere, and the focus of criminal
investigations. The rootkit has even been found on computers run by the
Department of Defense, to the Department of Homeland Security’s displeasure. While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be. And lawsuits are never the whole story.

This saga is full of weird twists. Some pointed out how this sort of software would degrade the reliability of Windows. Someone created malicious code that used the rootkit to hide itself. A hacker used the rootkit to avoid the spyware of a popular game. And there were even calls for a worldwide Sony boycott.
After all, if you can’t trust Sony not to infect your computer when you
buy its music CDs, can you trust it to sell you an uninfected computer
in the first place? That’s a good question, but — again — not the
real story.

So what is the real story? I’m not going to steal Bruce’s thunder, or deprive Wired of your precious clicks. So if you’re interested, I highly recommend giving it a read.

9 thoughts on “Schneier on Sony’s rootkit DRM”

  1. Just a warning to people using Napster…IT SERIOUSLY FUCKS UP YOUR COMPUTER!!!! I tried the free trial and it requires you to download this DRM program. Long story short, I decided to cancel Napster because itunes is actually cheaper. I then uninstalled Napster and the DRM program. I later found out that DRM had secretely attached itself to other programs that I already had, including the main WINDOWS XP and caused serious problems with my system. I worked for days with technical teams in an attempt to correct it. It still doesn’t work the same and many of my music files won’t play anymore. I hope that the knowledge about this dilema spreads so some people will be saved from the all the drama it causes.

  2. Twice a week, I pass the Sony Store in the Rideau Centre, and they have a few of the Vaios in the window.
    I wonder… Is the root kit installed on all the systems they sell? I’ll have to drop in and ask them… Not that I expect an honest answer, of course.

  3. I actually worked for Sony at one time. I would have to agree with the whole, Sony doesn’t care about it’s customer’s, bit. They want money and they aren’t to picky about how they get it. I was a mere telesales rep but the general idea was, find out what the customer wanted, then convince them that they need twice as much. Sadly, in order to meet our unreachable sales goals, we did this.
    And here’s a hint on returning something: Don’t waste your time. Put it on ebay and hope for the best.

  4. Yeah, not only DVD Jon’s software, but First4Internet included elements of the LAME encoder, in violation of hte LGPL and the GPL!
    It’s hard to decide if they are more evil, or just more stupid.

  5. Viaos have been known to be some of the biggest POSs when it comes to packaged systems. I would never buy a Sony. The only reason I have a Sony burner is because I bought it from a friend for $50 when he upgraded to DVD.

  6. Sony Copy Protection Evilness

    I sent my Road To Rouen CD back and got a full refund. This was the first Copy Control CD that I failed to circumvent, but having read Bruce Schneiers article via Wil on the Sony rootkit evilness, I will in future refuse to purch…

  7. Hello!
    I found your blog in the fabulous hypertext way (I’m dating myself by using that word, eh?). A quiz told me that I was most like your StarTrek character, and since I knew your name, just nothing about StarTrek, I poked around. Voila!
    I see “Geek.” I see, uh, hmmm, what? Bruce Schneirer. WTF and holy cow. So then I learned more and couldn’t resist posting just to say, WTG.
    I sometimes write on infosec for ordinary users — people who don’t know how to send an attachment, for instance. I love to make connections to pop culture, to get their attention in an entertaining way. So I’m thrilled! Will Wheaton pays attention to security!
    And, btw, I knew your acting best through Stand By Me and not Star Trek.

Comments are closed.