Sony BMG continues to have problems over their rootkit distribution problems in what has turned into public relations nightmare. It seems like they've done everything wrong in this situation and they continue to make it worse. Now, it's been discovered the cure is actually worse than the disease.
A quick recap is in order. Several months ago, Sony BMG began distributing Digital Rights Management (DRM) software on their music CDs to prevent people from making multiple copies of their discs for piracy purposes. On 20 of those CDs distributed through their various labels, they included software called a rootkit. It was not mentioned in the End User License Agreement (EULA).
The rootkit is a program that masks certain activities, particularly those of individuals trying to root around for information in one's computer. Rootkits are most commonly used by malware distributors to dig around and scan one's computer and in some cases do some ugly things in there. Yes, big time music distributor Sony BMG put this on your music CD.
Enter F Secure and Mark Russinovich of SysInternals. They picked up some of the infected CDs and installed them on their computers. They did some digging around after the fact and found this program, the rootkit. They ran some tests to verify what it was. Then they tried to uninstall it. It made their disc drive disappear. They also said this rootkit was a great way for hackers to get into one's computer and cause all kinds of problems. They published their results on their blogs and the tech world went crazy.
Sony put up a fix from their website. The fix wasn't all that though. First, you had to fill out a form for it. Then when it was installed, some reported it crashed their computer and removed some data files. The uninstaller gets even better though. The Freedom To Tinker blog reported a Finnish research named Muzzy came upon a potential vulnerability in the web-based uninstaller for the First4Internet XCP copy protection software. Freedom to Tinker said this vulnerability represents a greater risk than the original rootkit. Thanks Sony!
Did I mention viruses were floating around? A Romanian security firm called BitDefender discovered Trojan variants this past Thursday and fixes have already been developed. Microsoft said they were including a fix in their December patch release as well.
Next would be the lawsuits. Lawyers in California have already filed suit, claiming Sony's broken multiple laws with this rootkit row. There's also been talk of lawsuits in New York and from other groups.
The Electronic Frontier Foundation, who's also gauging a potential lawsuit, recently posted an open letter to executives at Sony for everyone to read. They made a few suggestions for Sony BMG they think could help the situation:
· Recall all CDs that contain the XCP and SunnComm MediaMax technology. The recall must include removing all infected CDs from store shelves as well as halting all online sales of the affected merchandise. We understand from a recent New York Times article that well over 2 million infected CDs with the XCP technology are in the marketplace and have yet to be sold.
· Remove from all current and future marketing materials statements like that on
http://cp.sonybmg.com/xcp/english/updates.html that say the cloaking software "is not malicious and does not compromise security."
· Widely publicize the potential security and other risks associated with the XCP and SunnComm MediaMax technology to allow the 2.1 million consumers who have already purchased the CDs to make informed decisions regarding their use of those CDs. The publicity campaign should include, at a minimum, issuing a public statement describing the risks and listing every Sony CD, DVD or other product that contains XCP or SunnComm MediaMax. The publicity campaign should be advertised in a manner reasonably calculated to reach all consumers who have purchased the products, in all markets where the CDs have been sold.
· Cooperate fully with any interested manufacturer of anti-virus, anti-spyware, or similar computer security tools to facilitate the identification and complete removal of XCP and SunnComm MediaMax from the computers of those infected. In particular, Sony should publicly waive any claims it may have for investigation or removal of these tools under the Digital Millennium Copyright Act (DMCA) and any similar laws.
· Offer to refund the purchase price of infected CDs or, at the consumer's election, provide a replacement CD that does not contain the XCP or SunnComm technology. For those consumers who choose to retain infected CDs, develop and make widely available a software update that will allow consumers to easily uninstall the technology without losing the ability to play the CD on their computers. In addition, consumers should not be required to reveal any personally identifying information to Sony in order to access the update, as Sony is currently requiring.
· Compensate consumers for any damage to their computers caused by the infected products, including the time, effort, and expenditure required to remedy the damage or verify that their computer systems or networks were or were not altered or damaged by XCP or SunnComm MediaMax products.
· Prior to releasing any future product containing DRM technology, thoroughly test the software to determine the existence of any security risks or other possible damages the technology might cause to any user's computer.
· Certify in a statement included in the packaging of every CD containing DRM technology that the product does not contain any concealed software such as the XCP rootkit, does not electronically communicate with Sony-BMG or any other party, does not initiate the download of any software update or other data without informed consent of the consumer immediately prior to each communication, can be uninstalled without any need to contact Sony or disclose personally identifying information to anyone, does not present any security risks to any consumer's computer, and will not damage or reduce the performance of the consumer's computer or data in any way.
Sony announced the recall today of all the discs involved. They've also offered to replace all CDs with copies without the offending software for consumers. Mark Russinovich also pointed on in his blog that Sony BMG hasn't made this fix all that easy to find. As they point out, if somone happens to be unaware of this situation, then there's nothing on the website to sugges there is a problem. Sony's going to continue to hear all this until they fix this entire problem.
Sony never should've placed the rootkit on their discs to begin with. Now viruses exist just to utilize the rootkit and create problems. Then they makes statements that are inane in this situation. If I were their PR firm, I'd be looking for someone's head right now. Sony displayed incredible ineptitude in this situation and it may have cost them a lot of record sales. I know it cost them mine and I will encourage people to do the same.
