The perils of buying music legally
Okay, who out there has been buying music from Sony? Because you might want to, you know, not do that anymore. Why? Well, because Sony figures that it has the right to install deceptive, underhanded, and, according to Mark Russinovich, sloppily-written potentially computer-crippling software on your computer if you're honest enough to buy your music properly. I'm apparently pretty late in learning about all this, so I imagine that you guys will already have heard about it. It's been in the papers and in some comics lately (including Foxtrot, in this comic here). Anyway, as a brief summary, this stuff installs itself on your system as part of a music player that Sony requires you to use to play the disc, and it hides itself using cloaking techniques that some malware will use to hide itself from virus scanners. It dicks around with some kind of driver filtering (I don't really know what that means) and does not come with automated uninstallation. If you just delete the files, you can cripple your system--and the way it installs registry keys, it tries to load this stuff in safe mode, too. And if you do manage to uninstall it except for the driver filtering level, it disables your CD drive. Best of all, this code is exploitable, opening your computer up to greater risk from actual malware (as opposed to malware-technique-using digital rights management).
Sony eventually recognized that there was a problem with this, I guess, and stopped production of the security-compromising discs, but they still refused to take the blame. Oh, and note there that you had to ask Sony's permission to remove their software from your system. Nice. And apparently the ActiveX control they used to uninstall it was remotely exploitable as well.
And now, while Sony is still claiming that they're not guilty of any wrong-doing, they're also recalling existing discs and offering to replace the "spyware-laden CD's" (Russinovich's words) with unprotected versions. Russinovich points out, though, that they haven't made any statements on policy regarding disclosure on installation of DRM software or rootkits.
This was a really slimey piece of work. I'm all for people buying the music they want to be able to listen to on demand. I'm no MP3 virgin, but I recognize that morally, ethically, and legally, purchasing music is superior to downloading it piratically (fun word, that); however, companies like Sony and First4Internet (the company that licensed the problematic software to Sony in the first place) are not promoting this course with pushy, annoying, and even system-compromising DRM solutions like this. I don't buy a lot of music anyway (or listen to much, aside from some radio), but I can tell you that I won't be buying anything from Sony in the near future. I don't know if I'd be quick to forgive them even if they did promise to behave properly in the future with respect to rootkits, disclosure, et al. When I compromise my system and have some piece of malware take over my system because I was downloading irresponsibly, that's my problem, and possibly even poetically just (and that happened to me recently, too; I managed to get myself infected with something called Spysheriff, which presents itself as a spyware detector but travels the Internet in the manner of a virus or trojan, usually accompanied by other nasty pieces of work, and hijacks IE and your desktop wallpaper, among other things. Took me the better part of a day to get rid of that stuff). When I compromise my system and have it taken over by resource-eating spyware because I bought a legal product from a major music company, that's just bad business.
Anyway, this was pretty hastily researched, and I only used about two distinct sources. For your fact-checking edification, and for some more depth on the saga, there follow some links to posts on Mark Russinovich's blog on the subject (most of his recent posts seem to be about this; also, I don't really know who this guy is, having never heard of him before):
Anyway, if nothing else, it might be a good idea to make sure you haven't subjected your system to this stuff, and more importantly, since I think you guys are mostly pretty computer-savvy, that none of your nearest-and-dearest have fallen victim, either. And if you or anyone you know did buy one of the spyware-infested versions, make sure you get a replacement from Sony, even if you didn't want to use it on your computer; make sure that they get the message that they need to try to avoid screwing over the honest consumer. It needs to be bad business for them, not just for the consumer, before they'll really get the picture.
That's the really brilliant part of all of this, I think; it's mainly the honest, music-buying consumer that they screwed over here, not the MP3-downloading mini-pirate. Beautiful.
Sony eventually recognized that there was a problem with this, I guess, and stopped production of the security-compromising discs, but they still refused to take the blame. Oh, and note there that you had to ask Sony's permission to remove their software from your system. Nice. And apparently the ActiveX control they used to uninstall it was remotely exploitable as well.
And now, while Sony is still claiming that they're not guilty of any wrong-doing, they're also recalling existing discs and offering to replace the "spyware-laden CD's" (Russinovich's words) with unprotected versions. Russinovich points out, though, that they haven't made any statements on policy regarding disclosure on installation of DRM software or rootkits.
This was a really slimey piece of work. I'm all for people buying the music they want to be able to listen to on demand. I'm no MP3 virgin, but I recognize that morally, ethically, and legally, purchasing music is superior to downloading it piratically (fun word, that); however, companies like Sony and First4Internet (the company that licensed the problematic software to Sony in the first place) are not promoting this course with pushy, annoying, and even system-compromising DRM solutions like this. I don't buy a lot of music anyway (or listen to much, aside from some radio), but I can tell you that I won't be buying anything from Sony in the near future. I don't know if I'd be quick to forgive them even if they did promise to behave properly in the future with respect to rootkits, disclosure, et al. When I compromise my system and have some piece of malware take over my system because I was downloading irresponsibly, that's my problem, and possibly even poetically just (and that happened to me recently, too; I managed to get myself infected with something called Spysheriff, which presents itself as a spyware detector but travels the Internet in the manner of a virus or trojan, usually accompanied by other nasty pieces of work, and hijacks IE and your desktop wallpaper, among other things. Took me the better part of a day to get rid of that stuff). When I compromise my system and have it taken over by resource-eating spyware because I bought a legal product from a major music company, that's just bad business.
Anyway, this was pretty hastily researched, and I only used about two distinct sources. For your fact-checking edification, and for some more depth on the saga, there follow some links to posts on Mark Russinovich's blog on the subject (most of his recent posts seem to be about this; also, I don't really know who this guy is, having never heard of him before):
- Sony, Rootkits and Digital Rights Management Gone Too Far
- More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
- Sony’s Rootkit: First 4 Internet Responds
- Sony: You don’t reeeeaaaally want to uninstall, do you?
- Sony: No More Rootkit - For Now
- Victory!
Anyway, if nothing else, it might be a good idea to make sure you haven't subjected your system to this stuff, and more importantly, since I think you guys are mostly pretty computer-savvy, that none of your nearest-and-dearest have fallen victim, either. And if you or anyone you know did buy one of the spyware-infested versions, make sure you get a replacement from Sony, even if you didn't want to use it on your computer; make sure that they get the message that they need to try to avoid screwing over the honest consumer. It needs to be bad business for them, not just for the consumer, before they'll really get the picture.
That's the really brilliant part of all of this, I think; it's mainly the honest, music-buying consumer that they screwed over here, not the MP3-downloading mini-pirate. Beautiful.