your village voice

Sony Creates Security Hole In Windows

Usually I attempt to forego my "tech talk" in this blog, trying to focus my attention on news, politics and world affairs. But some of the newer anti-piracy software out there has been encroaching too much into our personal freedoms for me to ignore. Sony, considered the creator of the CD format, has now found a way to kill privacy and security in one fell swoop.

I have argued before that copyright was never meant to restrict "fair use," and that electronic copies of music should be controlled by listeners and artists, not record companies (Supremes In A Digital Age). I have also agreed with those who claim the "virtual world" has the potentional to become more restrictive than the "real world," throttling creativity and innovation. So, the freedoms once empitomized by the internet are now being replaced with tyranny and privacy invasion.

But now we have proof positive of what was long held as a "wild conspiracy theory": large companies are hacking into our personal lives, claiming to reduce piracy. Sony, in an age where CD sales are plummeting, decides to reduce them even further by forcing hacking software onto their customers' machines. Digital Rights Management (DRM) is the software that Sony and other CD manufacturers are installing on their CDs to restrict piracy. The concept is to allow only a set number of electronic copies from users. It only works with Windows systems, only attaches itself from legally-purchased CDs.

Though I already have problems with that, Mark Russinovich of Sysinternals found something even more sinister in Sony's DRM: a rootkit. Rootkits are typically used by hackers to hide certain files or directories from the OS, most often to viruses and worms. This was obviously an attempt for Sony to conceal their anti-privacy files from prying eyes. This is mentioned only in broad terms in their End User License Agreement (EULA) and on an ambiguous CD label ("DRM Software Inside!").

Sony's official word is laughable. At most, a typical user can user can download a "fix" that does nothing more than unhide the offending files. Charlie Demerjian of The Inquirer describes the procedure from there:

The funniest part is that you don't actually remove the software with this tool, only make it visible, and you are still infected up and down with DRM. Should you be lucid enough to realise that you don't want this crap within a few miles of your system, you have to go through the grilling process above. Want to make it seem even more surreal? If you remove the malware and DRM infection, you can't play the CD anymore. Nope, the money you spent on Sony products is gone. Mal-way or the highway.

If you try to remove it yourself, you risk breaking your optical discs, or it kills them for you. Mark from Sysinternals is more than smart enough to figure out how to fix this, but are you? Off the top of your head, how do you do that again, no looking it up? To make matters worse, it installs itself so it runs in safe mode, and if it conflicts with something, you are really hosed. Sony's response? "This component is not malicious and does not compromise security.".

There already are exploits out there that take advantage of this.

Sony and other record companies should be sued for these kinds of actions. If this is allowed to stand, I have no doubt more companies will follow Sony's example. We need federal legislation to stop this.

posted by the prisoner @ 9:23:00 AM