WebMink
Simon Phipps's personal commentary

Another "Kryptonite" case?

The misadventures of the Kryptonite lock company are the stuff of legend on the internet. You'll recall that someone posted instructions on how to hack supposedly secure cycle locks using just a ballpoint pen and an easily acquired knack. The response from the manufacturer was slow and dismissive, but the harmful effect the rapid spread of the information had on their business was dramatic.

Are we seeing another example developing? This time it's the case of the Sony CD that installs a rootkit on Windows PCs when you try to play music. A security specialist was the first to spot it after it had been in the market for several months - clearly it covered its traces very well. He discovered that, after playing a Sony music CD, the kind of software that hackers use to conceal viruses and trojans had been installed on his PC - a "rootkit". He publicised the news and it spread like wild-fire (see the Google search) because the rootkit opened up a new way for hackers to exploit Windows users - a rootkit installed by a trusted party.

This is of course far worse than the actions of Kryptonite. They just neglected the market reaction to the exposure of an unintended weakness. Sony Music's action is far worse - they have actually propagated a rootkit, installed it on the computers of millions of customers as an expression of mistrust, and then left it there as a potential host for the dark activity of others. It's part of maybe 20 music CDs - who can way which ones - and will be installed long into the future, making claims that "we fixed the problem" irrelevant.

So what's Sony's reaction to getting caught? Well, the first report I saw was on the BBC.

A spokesman for Sony BMG said the licence agreement was explicit about what was being installed and how to go about removing it. It referred technical questions to First 4 Internet.

Sony hid behind a pop-up license, the way Spyware authors try to, and brushed off enquiries to their supplier. The supplier was condescending towards the discoverer of the rootkit and ignored the real implications of the issue:

Mr Gilliat-Smith said Mr Russinovich had problems removing XCP because he tried to do it manually something that was not a "recommended action". Instead, said Mr Gilliat-Smith, he should have contacted Sony BMG which gives consumers advice about how to remove the software.

The arrogance in both answers is breathtaking, and showed every sign that Sony intended to brush-off all comments. The article is not a one-off - I just heard an NRP feature on the issue in which a Sony executive utters the timeless comment:

"Most people, I think, don't even know what a rootkit is, so why should they care about it?"

So it's OK to exploit people's ignorance, expose them to the risk of attack by hackers and treat them as thieves? I don't think so. The speaker goes on to explain that Sony does not use the rootkit to engage in anything malicious, it's just there to stop MP3s being made. Well whoopy-do - Sony won't be installing keystroke loggers or trojans using the rootkit, they can leave that to others. All in the cause of preventing a few kids using their iPod.

So where is all this going? I'm reminded of what Tim Bray had to say:

Here’s a hint: when the rest of the world wakes up and realizes they’ve been ripped off, they’re going to get mad and they’ll know who did it

Sony's Machiavellian position is that anything is permissible in the name of DRM - even their "fix" appears to just install a more sophisticated rootkit. Will this be Sony's Kryptonite Moment? I think it will if they don't wise up and read the rest of the Kryptonite story (where they made good and started the road to recovery) really soon, because we all just found out that Sony Music is probably not a "trusted supplier".

posted at 2:45 AM (UK) | |