Most of you have probably never heard of a root kit before. That is unless you are a hacker, your kid is a hacker (and strongly forthcoming in his nefarious dealings) or you have become the victim of a hacker.
Nevertheless, if you recently purchased a new music CD (Christmas shoppers be warned) distributed by Sony BMG, congratulations, you just received a root kit without even knowing. Ironically, that’s just what a root kit does; hide computer files on your PC.
Enough banter, let us dig into this story.
On October 31st Mark Russinovich wrote an online article that blew the cover off of Sony’s underhanded plan. Russinovich, who creates anti-spyware security software, was testing his latest creation, RootkitRevealer, and found, to his surprise evidence of an authentic root kit on his own computer.
Russinovich’s article is somewhat technical as he reviews each step he took (there were many) to finally determine the root kit’s origins and to uninstall the hidden files. In the process he was able to uninstall the root kit, but then the root kit uninstalled his CD drive.
The origin of the hidden files was not apparent at first, but with some research Russinovich found the creators, First 4 Internet had a contract with Sony to provide DRM software. This caught Russinovich’s eye because he recently purchased “Get Right with the Man”, the Van Zant Brothers latest album, and had installed it on his computer. His research confirmed his suspicions; Sony BMG had installed files on his computer without his knowledge.
Mark Russinovich broke the story, but now we learn from the Electronic Frontier Foundation that Sony also has a contract with SunnComm to provide software similar to that created by First 4 Internet. The EFF has filed a class action lawsuit against Sony BMG stating that Sony BMG should pay for any damage created by both the SunnComm and First 4 Internet software.
The issue is further complicated by Sony who has silently released software to uninstall the First 4 Internet software. However the uninstaller creates more security problems than the original software.
What about SunnComm? Well Sony BMG has been so kind and offered software patches to all the major anti-virus software makers. This would allow the anti-virus makers to create software that will let them check the Sony BMG files for viruses. The catch is Sony BMG said they will not release an uninstaller for the SunnComm software.
To summarize, Sony BMG says that they have the right to install software on your computer that will allow them to keep you from copying songs and that will send them statistics about your music listening.
The obvious question is: does Sony have any right to do this? Strangely enough they may, but only with your consent. And on that point we find a catch-22. Sony’s CDs featuring the new Digital Rights Management software includes an End User License Agreement or EULA.
The EULA does mention proprietary software:
“As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT.”
This obviously is referring to software, not music, however it says nothing about the software being hidden, opening security holes or disabling computer hardware when uninstalled.
If a user purchased and played in his computer one of Sony BMG’s new CDs, such as Switchfoot’s release “Nothing Is Sound”, he had to agree to the EULA. The EULA is lacking in sufficient information at best, and misleading at worst.
Prince Meets Webby
