This Blog Needs No Name | November

News of the week: Sony’s DRM software uses rootkit techniques

Recap
DRM-protected CDs from Sony surreptitiously install software on users’ computers. The software is hidden using rootkit techniques normally associated with malware, isn’t mentioned by the EULA, and cannot be uninstalled safely by the average user. The software is also badly written, wasting resources, opening up the computer for other malware, and potentially corrupting the system if it’s removed by an uninformed user.

And as if that wasn’t enough to make a good story, Sony first resists public requests for an uninstaller, then makes available an uninstaller that is written as badly as the original program (if not worse), and then makes the users jump through various hoops to get it, including downloading and installing an ActiveX component of uncertain provenance…

It took a few days for the story to spread through all mainstream media (it’s a bit technical after all). And of course it took only a short moment before someone wrote a Trojan exploiting this.

Sony, blind and oblivious to all the uproar, says, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” This is nothing, not malicious at all, and you shouldn’t bother your pretty little heads with all this grownup stuff.

And naturally Sony is now getting sued and boycotted by all and sundry.

The story is fabulous, better than fiction. I’ve really enjoyed following it. (It helps, of course, that the original articles at SysInternals blog make for a good read – thoroughly detailed, understandable, well written and well illustrated.)The whole situation is such a spectacular combination of evil, stupidity and incompetence. It is so absurd that it ceases to be annoying and becomes entertaining.

First, the strategically incorrect decision to build something like this must have been based on a grossly mistaken understanding of how their customers would react if they ever found out. Second, they misjudged the skills of their coders vs. the skills of spyware hunters. Third, they lied in the EULA. Fourth, they completely misread and mishandled the public reaction by first denying the problem, and then trying to avoid responsibility.

So, the business development people are incompetent, as are the people in charge of software project outsourcing, and their lawyers, and their PR department. Hmm… that’s about the whole firm… excepting HR and finance.

It’s difficult to imagine what more Sony could have done to make this worse. Perhaps they could have tracked users who use the software? They could have, actually, since the software phones home as well… Oh, the one thing they haven’t tried yet is to enforce the EULA and countersue users who remove the malware.

What does one learn from this?
That when it comes to software, you can’t trust anybody, and you can’t be too careful. A large well-known company is not necessarily more trustworthy than a small unknown one.

[ Friday, November 11th, 2005 — in Geeky things — No comments ]

Leave a comment