November 01, 2005

Sony v. their customers - who's attacking who?

In another story similar in spirit to the Cuthbert case, Adam points to Mark who discovers that Sony has installed malware into his Microsoft Windows OS. It's a long technical description which will be fun for those who follow p2p, DRM, music or windows security. For the rest I will try and summarise:

Mark bought a music disk and played it on his PC. The music disk installed a secret _root kit_ which is a programme to execute with privileges and take control of Microsoft's OS in unknown and nefarious ways. In this case, its primary purpose was to stop Mark playing his purchased music disk in various ways.

The derivative effects were a mess. Mark knows security so he spent a long time cleaning out his system. It wasn't easy, well beyond most Windows experts, even ones with security training, I'd guess. (But you can always reformat your drive!)

No hope for the planet there, then, but what struck me was this: Who was attacking who? Was Sony attacking Mark? Was Mark attacking Sony? Or maybe they were both attacking Microsoft?

In all these interpretations, the participants did actions that were undesirable, according to some theory. Yet they had pretty reasonable justifications, on the face of it. Read the comments for more on this; it seems that the readers for the most part picked up on the dilemmas.

So, following Cuthbert (1, 2, 3) both could take each other to court, and I suppose Microsoft could dig in there as well. Following the laws of power, Sony would win against Mark because Sony is the corporation,and Microsoft would win against Sony, because Microsoft always wins.

Then, there is the question of who was authorised to do what? Again, confusion reigns, as although there was a disclaimer on the merchant site that the disk had some DRM in it, what that disclaimer didn't say was that software that would be classified as malware would be installed. Later on, a bright commenter reported that the EULA from the supplier's web site had changed to add a clause saying that software would be added to your Windows OS.

I can't help being totally skeptical about this notion of "authorisation." It doesn't pass the laugh test - putting a clause in an EULA just doesn't seem to be adequate "authorisation" to infect a user's machine with a rootkit, yet again following the spirit of Cuthbert, Sony would be authorised because they said they were, even if after the fact. Neither does the law that "unauthorises" the PC owner to reverse-engineer the code in order to protect his property make any sense.

So where are we? In a mess, that's where. The traditional security assumptions are being challenged, and the framework to which people have been working has been rent asunder. A few weeks ago the attackers were BT and Cuthbert, on the field of Tsunami charity, now its Sony and Mark, on the field of Microsoft and music. In the meantime, the only approach that I've heard make any sense is the Russian legal theory as espoused by Daniel: Caveat Lector. If you are on the net, you are on your own. Unfortunately most of us are not in Russia, so we can't benefit from the right to protect ourselves, and have to look to BT, Sony and Microsoft to protect us.

What a mess!


And in closing, I just noticed this image of Planet Sony Root Kit over at Adam's entry:

Posted by iang at November 1, 2005 05:55 AM | TrackBack

For its part, First 4 Internet claimed the technology was only found on CDs from earlier this year and said it had created new methods to hide the DRM. Nonetheless, the company has decided to issue a patch to eliminate the cloaking and "allay any unnecessary concerns."

The patch will be made available for download from Sony BMG's Web site, with another offered directly to antivirus vendors. The DRM software will not be removed, however, only uncovered; that means users will still be unable to delete it without risk of rendering their CD drive inoperable.

Customers must contact Sony BMG support for removal instructions.

Posted by: "Sony to Help Remove its DRM Rootkit" at November 4, 2005 10:37 AM

(copied from mail list)

Unfortunately, this is an exaggeration of what Sony have agreed to do - they have issued an installable which removes the filename cloaking component while leaving the rest (primarily, the cd rom driver chain "filters" in place. It is still not possible to remove these other than manually (and yes, the system as a whole still uses up cpu and memory for no benefit other than for sony (and even then, its a trivial hack to prevent the DRM from installing in the first place - just disable autorun, which anyone halfway paranoid does anyhow)

Mind you, sony seem to have added another wrinkle to this story with their new DRM - which is aimed, not at preventing p2p copies, but at isolating Sony CDs from itunes....

Posted by: Dave Howe at November 4, 2005 10:39 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.