One of the biggest corporations on the planet -- namely Sony -- thought it appropriate to distribute invasive SpyWare as a form of CopyRight protection ("DigitalRightsManagement"). Users need to be careful what music CDs they buy and how they play those CDs on their computers. The trend is very alarming.
The incident was revealed by MicrosoftWindows system programming expert Mark Russinovitch, and later reported by the WashingtonPost and other national media.
[http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html]
In a damage control effort, Sony put out a spin (http://cp.sonybmg.com/xcp/english/updates.html) and offered a service pack that only removes the hiding feature. The resolution is simple:
Roger that. Already I have decided to extract all Sony junk from my systems; I wasn't happy with the way their CD-ROM drives performed anyway. Now I have a good excuse to yank all Sony kaka of all kinds from all my machines and my clients' boxes as well.
Sony is in for more than they bargained for. While a google for "Sony rootkit" performed a few days after its discovery returned 1000000 hits, at less than 2 weeks it returns a whopping 3750000. Hardly anything is positive for Sony. The story was featured on NationalPublicRadio where an executive from Sony made the puzzling comment, "Most users of our CDs don't know what a rootkit is".
And with a company like Sony, lawyers can hardly ask for a better target. The first legal trouble started in Italy where ALCEI (a kind of ElectronicFrontierFoundation) filed a penal complaint with the authorities (strangely in this case, the "finance guard" is an IRS of sorts). http://www.alcei.org/index.php/archives/106. The EFF itself is considering a lawsuit http://www.eff.org/deeplinks/archives/004144.php.
Now there's also a California class-action opened against Sony. There's a California anti-spyware law that expressly bans techniques designed to prevent rightful owners of computers from uninstalling software http://blogs.washingtonpost.com/securityfix/2005/11/calif_ny_lawsui.html.
Hopefully after this huge mess there will be a serious discussion about SoftwareEthics. According to Mark Russinovitch, the guys who wrote the rootkit were beginners in system software. They were working for an UK company, who licensed technology to Sony. Presumably some programmers from Sony also were involved before the CDs were imprinted with the final product. Somebody must have known that now everything was all right, but in absence of a code of ethics for our profession both programmers and their managers ducked their heads in the sand. So now a big company is likely to have to pay big time.
As society becomes more and more dependent on software technology, it is important to establish clear guidelines as to what kind of software is acceptable for a software professional to write and what kind of software should be considered unethical.
Truly, I hope this bytes Sony in the ass at least as hard as the flap over that crap Buena Vista (Disney) pulled with the DVD intro advertising. Anybody care to compare and comment?
Sony is suspending new CDs from including their "XCP" technology but is not apologizing. See http://www.bangkokpost.com/breaking_news/breakingnews.php?id=61614
In midNov05, MicroSoft is said to have promised an update to their spyware removal tool to include the ability to remove the SonySpyware. See http://news.com.com/2102-1002_3-5949041.html?tag=st.util.print
November 17th: now google returns 10 000 000 hits for Sony rootkit.
It turns out that the "uninstall" program offered by Sony to its customers has a more glaring security flaw http://blogs.washingtonpost.com/securityfix/2005/11/this_post_is_ge.html . The uninstall consists of an ActiveX control that installs on the local machine and is marked as "safe for scripting as far as IE is concrned. The problem is that the control is a general software install/uninstall utility that does not verify signatures or anything, so any rogue site is able to take advantage of the existence of this control and do whatever with the user's computer. If the rootkit was bad, this is really stupid.
Big news in NovemberZeroFive