Sony hired First 4 Internet (one of whose corporate directors spent 12 years as a Sony director) to build the intrusive digital restrictions management software "XCP", which has been quietly installing itself on about half a million computers over the past year, including military and government sites. Many more Sony CD's install spyware DRM called "MediaMax", made by another Sony-related company, SunnComm.
Some of the bad things the XCP and MediaMax DRM malware do:
- Modifies your OS to hide and embed itself (and helps other malware hide itself). It masquerades as a real Windows service, to make it harder to notice that something bad is running.
- Interferes with your computer's ability to read the audio on that CD, not letting you use your own audio player.
- Silently interferes with any CD-ripping software you might use, even with non-Sony CD's, adding random noise to your copies.
- Secretly "phones home" to send information about you and your listening habits back to Sony (although Sony originally denied this).
- Runs all the time and slows your computer down.
- Can crash your computer, while being difficult to diagnose and repair due to its self-hiding methods.
- Using advanced tools to try to uninstall the software can render your computer's CD drives completely useless.
Some bad things Sony (and friends) appear to have done:
- Snuck the XCP software onto people's computers, providing nothing but a legal jargon license that never actually explained what the software would do, while claiming it could be uninstalled without providing an uninstall mechanism.
- The MediaMax software may install even if the user clicks "Decline."
- Failed to act to protect users after F-Secure notified Sony of the rootkit's hazards on Oct. 4.
- A few days after the bad publicity following Sysinternals' Oct. 31 exposure of the malware, Sony made a patch available that didn't actually remove the DRM or address most of the problems.
- Sony then made an XCP uninstaller available, but only to individuals upon request and only after personal information is provided to Sony. This uninstaller opened even more security holes in people's computers. Sony continued to distribute this flawed uninstaller for three full days after the weaknesses were published before finally withdrawing it from their site (where they still somehow claim that their "patch" fixes the original problems). (Here are someone's manual XCP removal instructions. USE AT YOUR OWN RISK - like you did when you installed the rootkit in the first place, or when you actually chose to buy an RIAA CD.)
- To get an uninstaller for MediaMax also requires requesting one from SunnComm. SURPRISE: This uninstaller ALSO opened computers to a backdoor vulnerability.
- Even with all these weaknesses having come to light, Sony is still encouraging people to install the rootkit malware, and First 4 Internet is still claiming that the cloaking device "does not compromise security," even while the Dept. of Homeland Security has declared it a "security threat," and says that nobody should ever install CD DRM.
- The XCP system itself appears to have infringed various copyrights, via stealing open source code in violation of the GNU General Public License and failing to publish the derivative source code. Some of that stolen code is designed to circumvent Apple's own DRM scheme, which probably places Sony in violation of the Digital Millennium Copyright Act - a damning situation for a member of the litigious RIAA.
- Sony originally claimed only around 20 titles were affected, but subsequently released a list of 52 affected CD's (XCP only - no mention of MediaMax, which affects about 267 ADDITIONAL titles). Meanwhile, Sony assured one blogger to expect that "by the end of fiscal 2005, 100% of Sony BMG titles released will contain this content protection technology. Please assume every one of our CDs are protected in this fashion."
- After claiming they'd done nothing wrong, Sony eventually "recalled" the DRM-infested CD's, yet there they still were on the chain store shelves during the busiest shopping day of the year. There is no refund being offered, nor compensation for harm done by Sony's system - nor even an apology.
The mainstream anti-virus/security companies appear to be ignoring the Sony malware, either because they don't mind cooperating with malware creators when they come from major corporations, or they are afraid that Sony will sue them under the anti-circumvention clause of the DMCA. Either way, the largest anti-virus vendors don't appear to be prioritizing protecting their customers. Generally, when software as harmful and sneaky as this is discovered, anti-virus firms rush out updates, there's a lot of media noise, and some malware author winds up in jail. The rules appear to be different for multinational corporations. Security guru Bruce Schneier asks, Who DO the major security companies really serve?
All this, and the system doesn't even succeed at its one ostensible purpose (preventing unauthorized copying), since anyone in the know can bypass the system, by merely holding down the shift key when they first put the CD into their computer, or by sticking a small piece of tape on the CD (both of which are violations of the DMCA, but otherwise safer ways to listen).
Here's a great chart that summarizes what the two Sony malware DRM systems do, what's wrong with each of them, and what lawsuits are underway.
Next time, I'm going to write only about the problems with DRM in general. Meanwhile, please read Richard Stallman's The Right to Read - while you still can.