Why You Shouldn't Buy Products From Sony This Season
Rootkits, by design, are virtually undetectable by anti-virus and anti-spam products. Even if they are detected, they integrate themselves so completely into the operating system that they are almost impossible to remove without going through a clean OS installation.
11/14/05 5:00 AM PT
A couple of weeks ago I wrote about how Google was on track to become the next "Evil Empire" because they were increasingly behaving as if they were the center of the universe. The central theme of the piece was how companies, particularly those that grow very quickly, can lose track of their ethics and, by placing their needs in front of all others, move from being widely admired to widely despised.
As if in counterpoint, an older, once widely respected company, showcased last week how power can be misused with disastrous results. In what was clearly an unintentional effort to demonstrate how even large, mature companies can behave in a fashion many of us would call criminal, Sony was identified as putting a "rootkit" on its music CDs. Rootkits, often used by criminals to take control of and/or extract information from a victim's PC, are one of the nastiest of attacks that are rapidly spreading over the Web.
There is a highly regarded book on this subject which should be required reading by any cyber-security professional. Coincidently this book is called "rootkits," and it has its own Web site. Amazon carries it; maybe someone should buy it for the Sony CEO as a gift.
Its Own Undoing
The decision to use a rootkit approach reeks of the worst of intentions.
DRM is clearly on track to be the death of Sony unless something changes. Sony, who owned the iPod predecessor, the Walkman, should have owned the portable MP3 player space. A few years ago the company flew a number of us to Japan to see their then new players and they were, as is often the case, gorgeous. Small, attractive, easily the equivalent of anything Apple has later done with one massive exception: the DRM implementation was so nasty you would have had to have been insane to buy the product.
This implementation, which did a wonderful job of protecting the music, also made the products almost impossible to use and there were no provisions to back up the music you bought or move it to a new PC. In effect, the protection was so good the user couldn't get to it and the products quietly failed.
This is what Steve Jobs' team got right out of the gate: There had to be balance between the concerns of the media companies and the needs of the consumers or either would simply choose not to play. You would think that, with the success of the iPod and what appeared to be clear with their upcoming Blu-ray optical disk, Sony would have learned its lesson and not tried to destroy the consumer experience ever again.
You would be wrong. This rootkit was designed specifically to address piracy and it does so by trampling the rights of every customer, honest or not, that buys one of the intentionally infected CDs. The downside to this behavior goes far beyond destroying a product line -- it could destroy the company.
Rootkits, by design, are virtually undetectable by anti-virus and anti-spam products. Even if they are detected, they integrate themselves so completely into the operating system that they are almost impossible to remove without going through a clean OS installation. UK outlet The Register recently covered this at length. In effect, you are generally better off buying a new PC.
Once installed, rootkits provide a pipe that can bypass any security features in the OS and many third-party tools to allow any knowledgable criminal access to your PC. In effect, it is like having someone you invited over to play music change your locks to accept a master key that they, or anyone else who had that master, could use to get access to your home any time they wanted.
The word "nasty" is simply inadequate for describing the nature of these tools. Security firms like Computer Associates and even Microsoft itself have begun efforts to assess and mitigate the damage that Sony has caused.
The liability for Sony could be extreme should this rootkit get on a PC and result in compromising critical medical data, personal information, or a large amount of financial information. Related liability could grow to astronomical proportions and Sony's response to date has been to offer a convoluted process that may or may not remove the tool if you happen to discover it has been installed.
This process is detailed on the Freedom to Tinker Web site maintained by Ed Felten, Professor of Computer Science and Public Affairs at Princeton University.
In an interview on NPR recently, a Sony executive, in response to the outcry about Sony's questionable actions and inadequate response, suggested that since most people don't know what a rootkit is, they had little reason to care about it. This probably wins the award for the most arrogant comment I have ever heard from a top executive. Kind of makes you wish there was a corporate equivalent to the Darwin awards .
Exploits and Litigation, Oh My!
Last Thursday the first Trojan to exploit Sony's rootkit was identified according to the Inquirer. This Trojan, called the Stinx-E was apparently spammed to e-mail addresses disguised as an article with photos and had an executable named Article+Photos.exe. This has since been picked up with more detail by the Washington Post with more detail including what may be a second attack. The post also quotes Sony's now CEO as saying in 2001 that it would cheer him up to dispatch a virus to evidently punish those who illegally copy music. It goes without saying, that if you get one of these files in the mail, don't click on it unless you really want a good reason to buy a new PC.
This Trojan is now in the wild and proliferating, and this is the first time I'm aware of that that something like this has been intentionally created by any large company.
According to Slashdot, California, the litigation capital of the world, has filed a class action lawsuit against Sony and another one is pending in New York. The filing argues that Sony, by attacking its customers with this rootkit, has violated at least three California statutes designed to protect consumers and asks the court to prevent the sale of Sony CDs in California and also seeks unspecified damages. If these virus and Trojan attacks continue I think we may be on the way to record damage awards in a number of states rivaling what happened with Microsoft after their DOJ trial. One has to question whether Sony has the assets to weather this kind of storm. At the very least Sony may find the need for a new executive staff rather quickly.
Don't Buy Sony
Accidents happen, but this was clearly a considered action. My view is that any company that actively attacks or exposes its customers to attack should not be in business. This is the holiday buying season, and I agree with my friend Dan Gillmor: There is no better way to showcase your dissatisfaction with this behavior than by simply not buying Sony. Given that a large number of media companies appear to be considering similar behavior, this would remind these companies that messing with consumers in this way is something they should avoid like the plague.
Rob Enderle, a TechNewsWorld columnist, is the Principal Analyst for the Enderle Group, a consultancy that focuses on personal technology products and trends.