Sony's Even Worser Week
By Wes Phillips November 20, 2005 — As we go into our fourth week of coverage of Sony BMG's digital rights management debacle, it's a good time to review what all the fuss has been about. On October 31, Mark Russinovich posted his discovery of a root kit—a cloaked file that had been inserted on to his computer's hard drive. Cloaked root kit files are popular tools used by malevolent hackers, so Russinovich was curious about how the files he detected had entered his computer. It came from Get Right With the Man, a Sony DRM-protected disc Russinovich had purchased and played on his computer. When he attempted to remove the hidden files, Russinovich lost the ability to use his CD drive.

Russinovich discovered that the program was a digital rights management scheme called XCP, from First4Internet, Ltd. (F4i) and that the hidden files installed spyware that was capable of reporting back to Sony on how the computer was being used. Sony denied this, but later recanted—saying that the company did not pay attention to the data it received in this manner.

Sony also insisted that the hidden files were not a problem, although it later issued a "removal" program it called a "Service Pack." The service pack did not actually remove the files, it merely "uncloaked" them.

Software expert Ed Felton opined that Sony's DRM removal program actually "open[ed] a huge security hole on your computer. " Reports followed that some malware programs had already utilized those holes. On November 11, Sony finally agreed to stop shipping CDs with F4i's DRM software.

On November 15, Sony offered to exchange any of the F4i XCP discs for non-copy–protected versions. On November 16, the company finally withdrew its "uninstaller" program and recommended that its customers not use it.

On November 18, Sony posted an exchange notice identifying all XCP-encoded titles. One of the most fascinating tidbits from that webpage is the following revelation: "Whether or not you choose to participate in the CD exchange program, you can update or uninstall the XCP software at http://cp.sonybmg.com/xcp. We have also provided major software and anti-virus companies with this security update. If you receive regular security updates from a major anti-virus service, that service should provide an update covering the XCP software through the standard process."

Hmmm, if the XCP files did pose a security problem, where were those major software and anti-virus companies in all the months before Russinovich sounded the alarm? That's precisely the question Bruce Schneier asked at Wired. Schneier's conclusion? "The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us."

In other words, it ain't malware if it's done by a big corporation—or at least that's the way other big corporations like Microsoft and Symantec seemed to play it.

We may never know exactly what finally embarrassed Sony into distancing itself from its bone-headed DRM scheme, but the magnificent website Boing-Boing, which has been on this story like white on rice, may offer a clue. On November 20, Cory Doctorow posted some deep dish from a "high-placed source at Sony BMG" that claimed, "Some of the top Sony BMG artists who had XCP placed on their CDs are complaining directly to the label heads, furious that it will hurt their relationship to their fans and their sales as they go into the massively important Christmas season."

In addition, Doctorow's Deep Throat says a rising number of people within Sony BMG are kvetching that the DRM scheme attacked "the people that are doing the right thing and buying our music." At least one label chief vows that no more DRMed CDs will appear on his watch, Doctorow's source says. Perhaps sanity will finally triumph in this battle of the witless.

Or perhaps not. Reports have also surfaced that "a critical vulnerability" has been found in Apple's iTunes For Windows music program.