Ever wonder what the future would be like in a DRM’d world? Sony seem to have a pretty good idea of how things are going to be.
This is the story of owner rights being eroded for the sake of a company’s protection from piracy, how this policy is being applied elsewhere and how ultimately media and tech companies are shooting themselves in the foot by going down this road. This is the story of Sony’s rootkit, their utter disdain for users, how Sony is now getting sued, how Sony’s DRM Rootkit has led to police investigations and how people are finally starting to wake up and smell the coffee.
I’ve been meaning to comment on this for a while but haven’t got round to it until now, it looks like that’s a good thing as just when you think the story has unfolded, a new twist comes your way.
On October 31st, Mark at Sysinternals identified a new rootkit on his system, something that came as some surprise as a professional rootkit hunter. After some inspection he found hidden device drivers, folders, programs and files that patched the Windows API in order to hide their traces, a method common in rootkit and trojan design. Further investigation proved that a rootkit was definately running on his system, but what?
Mark continued his studies and found that sure enough, a driver had been installed that ‘cloaks’ any file, registry entry or process starting with “$sys$”. To confirm this, Mark made a copy of Notepad and renamed it to $sys$notepad.exe. It disappeared. Mark’s system had been compromised by a rootkit, but in his own words, it’s indiscriminate nature showed “a lack of sophistication on the part of the programmer”. Mark disabled the rootkit, itself a tricky process as there was no logic in the code to remove the driver gracefully. Disabling the rootkit could easily cause a crash if a thread was about to start a function hijacked by the driver.
When he rebooted his system after disabling the rootkit, Mark looked around for signs of the source. He wasn’t expecting much by way of useful information, but bizarrely the name of the product, developers and other information was present. The files claimed to be part of “Essential System Tools” from a company called “First 4 Internet Ltd.” First 4 Internet have deals with various record labels to provide DRM for their CDs. Mark proved that the rootkit installed on his system was the ‘Digital Rights Management’ software from First 4 Internet, and was present on one of his CDs. There was no uninstall function, and the EULA said nothing about installing any software that couldn’t be installed.
Mark removed all of the files associated with the DRM rootkit manually and rebooted. To his horror, his CD drive had disappeared. The software had replaced his CD driver with another one that wouldn’t give him access to remove it. After some fiddling, Mark was able to remove it using the LocalSystem account, an account used only by internal processes and not users.
By the 4th of November, news of the DRM rootkit rippled through blogs around the world and hit the mainstream media. You might think at this point Sony would put their hands in the air, hand over an uninstaller and apologise. But no. Sony refuses to admit blame or make an uninstaller easily available. On Sony’s FAQ page there is a form to fill in where Sony agree to provide you with an email containing directions but that’s as far as it goes.
When you get an installer (after several exchanges of e-mails) the download text informs the user that the DRM does not “pose potential security vulnerabilities”. As you can see, this is false. The update download is actually 3.5Mb, considerably larger than a simple uninstall script. This is because it includes updated files for the DRM. Once this is installed a new entry shows up in Add/Remove programs, although Mark found that the uninstaller failed part-way through. It did disable the cloaking elements. However, it didn’t do this safely.
So where did Sony go wrong?
In a nutshell, they went wrong in two areas – one in bundling the rootkit, and another in the way the resulting disclosure was handled by Sony.
Sony bundled a cloaking system that modifies core Windows components and makes no reference to this in the EULA. This could be argued as a breach of computer crime laws in a number of countries. It’s certainly an unethical practice. Sony needs to give the users a choice. Accept, then install the rootkit-encumbered DRM or reject and eject the CD.
In the way that this was handled, Sony have claimed that there are no potential security vulnerabilities, and that the uninstaller was simply to alleviate concerns. This is untrue. Sony’s response is simply incorrect, however the initial misleading act implies that the subsequent response is also a deliberate attempt to misread the end-user. Whether or not the user is being deliberately misleaded is something we’ll probably never know. Considering that the rootkit was developed by a third-party, that the EULA was drawn up by a separate legal team and the response was written by another separate marketing team, it wouldn’t be surprising if the three parties didn’t communicate between each other. Yes it’s all wrong, and yes Sony are telling untruths, but there’s an opportunity for Sony to learn from these mistakes.
In the next part of this article, I’ll cover this further, including the responses from the top brass.
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.