Friday, November 04, 2005

Sony DRM rootkit code (#11) Sony DRM rootkit code (#11)

John W. Suthers
Attorney General
State of Colorado

Dear Sir:

This is to request that your office investigate the business practices of Sony and its various music subsidiaries in their sale of compact disks (CDs) containing computer code that intentionally harms the computers on which it is installed. The code was apparently designed to enforce Digital Rights Management (DRM), but goes well beyond that. It appears that many, if not most, music CDs being sold today by Sony subsidiaries that are marked as having "copy protection" include this malware, which Windows systems computers automatically try to install whenever they first detect such CDs.

Last week, the installation of this code was detected by operating systems expert Mark Russinovich and documented in his blog as: "Sony, Rootkits and Digital Rights Management Gone Too Far". Subsidiary information can be found on my own blog: http://bhayden.blogspot.com/

Apparently, the Sony code is automatically installed with the Windows autorun feature. It loads a couple of drivers and then crudely hides them and all the associated registry entries (which is why Mark calls this a root kit). In addition to checking to see if a user can legally play any subsequent CD loaded in his CD drive, the code also scans all running programs every two seconds, querying information about the executables for such each time, regardless of whether or not a CD is currently loaded in the CD drive. Also, in loading and registering these programs, the Sony code installs some system call hooks to link some of its routines into the Windows kernel. Both the crude hiding of the DRM code and the system call hooking introduce serious systems stability and security problems into the computers in which the software is installed. Indeed, there is evidence that the hacking community is already starting to exploit both.

The problem is that this software is little different from the "spyware" that has become so prevelant, except that it is delivered via CD instead of over the Internet. In an older version of Sony's End User Licensing Agreement (EULA), no mention whatsoever is made of the code. In the latest version, instead of describing what the code actually does and how it affects computers in which it is installed, Sony instead prohibits disassembly and the like of the code - and appears to be threatening to use this against anyone who tries to detect and uninstall its code. This EULA does state that if you don't like the code, it can be uninstalled, but then doesn't supply uninstall code. Then, the uninstall code that you can download from its site merely removes the crude cloaking, leaving the code that scans all running processes every two seconds and the system call hooks in place.

The Sony malware arguably violates the CO Consumer Protection Act, notably C.R.S. 6-1-105(u), as well as numerous federal statutes, including the Digital Millennium Copyright Act (DMCA) and the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT). Also, Sony may be liable under theories of common law trespass to chattels, consumer fraud, negligence, and computer tampering.

The reason that I am referring this to your office is that Sony is one of the biggest sellers of music in this country. Without intervention, it is likely that probably hundreds of thousands of Sony CDs containing this DRM malware will be purchased by tens of thousands of Colorado residents and installed on tens of thousands of Colorado computers over the next year.

Already, some California attorneys are looking for class plaintiffs for class action suits against Sony over this. While this crude weapon would presumably work in the long run to get Sony to change its actions, my view is that typically the attorneys involved benefit most from this type of lawsuit. I believe that action by the Colorado Attorney General's office, as well as by other Attorneys General, would much better serve the music buying public.

Thank you for your consideration of this matter.
Bruce E. Hayden
Dillon, Colorado

Labels:

7:14 AM Display: Full / Chopped / Footer

Display: Full / Chopped / None

Display: Full / Footer / None

Display: Chopped / Footer / None