Bruce Schneier’s latest article for Wired is all about Sony’s hyperevil rootkit DRM debacle. It includes a comprehensive timeline, as well as Bruce’s efforts to get to the real story in the whole saga. Bruce says, "It’s a David and Goliath story of the tech blogs defeating a mega-corporation."
It’s a tale of extreme hubris. Sony rolled out this incredibly invasive
copy-protection scheme without ever publicly discussing its details,
confident that its profits were worth modifying its customers’
computers. When its actions were first discovered, Sony offered a "fix" that didn’t remove the rootkit, just the cloaking.
Sony claimed the rootkit didn’t phone home when it did. On Nov. 4,
Thomas Hesse, Sony BMG’s president of global digital business,
demonstrated the company’s disdain for its customers when he said, "Most people don’t even know what a rootkit is, so why should they care about it?" in an NPR interview. Even Sony’s apology
only admits that its rootkit "includes a feature that may make a user’s
computer susceptible to a virus written specifically to target the
However, imperious corporate behavior is not the real story either.
This drama is also about incompetence. Sony’s latest rootkit-removal tool actually leaves a gaping vulnerability. And Sony’s rootkit — designed to stop copyright infringement — itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library’s license agreement. But even that is not the real story.
It’s an epic of class-action lawsuits in California and elsewhere, and the focus of criminal
investigations. The rootkit has even been found on computers run by the
Department of Defense, to the Department of Homeland Security’s displeasure. While Sony could be prosecuted under U.S. cybercrime law,
no one thinks it will be. And lawsuits are never the whole story.
This saga is full of weird twists. Some pointed out how this sort of software would degrade the reliability of Windows. Someone created malicious code that used the rootkit to hide itself. A hacker used the rootkit to avoid the spyware of a popular game. And there were even calls for a worldwide Sony
After all, if you can’t trust Sony not to infect your computer when you
buy its music CDs, can you trust it to sell you an uninfected computer
in the first place? That’s a good question, but — again — not the
So what is the real story? I’m not going to steal Bruce’s thunder, or deprive Wired of your precious clicks. So if you’re interested, I highly recommend giving it a read.