Sony BMG Music Entertainment Inc. issued another patch for its rootkit-laced digital rights management (DRM) system Tuesday. But a top executive's response to the outcry over its use of the technology has only added fuel to the fire.
Hesse was contacted for this story by phone Tuesday, but he did not respond. IT professionals who were asked about the controversy said Sony's attempt to justify the use of rootkit technology is especially troubling.
"It never ceases to amaze me that companies will use techniques that are clearly unethical," Paul Schmehl, adjunct information security officer for the University of Texas at Dallas and a founding member of the Anti-Virus Information Exchange Network, said in an e-mail exchange. "Then, when confronted, instead of coming clean, they attempt to minimize the damage or criticize the researcher's findings."
All this does is motivate researchers to work "that much harder" to find the truth, he said, adding, "When the truth does come out, and it doesn't fit the company's version of the facts, the results can be catastrophic. Sony is now being sued. The lawsuit will generate even more publicity, none of which will make Sony look good."
So far, The Washington Post noted Tuesday, Sony faces a class-action lawsuit filed on behalf of California consumers who may have been harmed by Sony CDs in which the rootkit technology is used. A second, nationwide class-action lawsuit was expected to be filed against Sony in a New York court on Wednesday seeking relief for all U.S. consumers who have purchased such CDs, the paper added.
Todd Towles, a network systems analyst at a medium-sized, Southeastern-based retail chain, said in an e-mail exchange that Sony deserves the backlash because of:
- Its "obvious attempt" to mislead the casual user of the running software;
- Its "lack of information discourse" in their end user license agreement about the rootkit-type technology;
- Its claims that the software is harmless, even though the rootkit technology can be used to hide any system process with a simple rename -- a feature that reduces the overall security of a computer system; and
- The uninstaller the company and its British technology partner, First 4 Internet Ltd., issued last week only removes the cloaking techniques -- not the software or the DRM.
"It would seem to suggest that Sony either doesn't understand the security consequences of their actions or meant to mislead the public again about the security consequences of their rootkit technology," Towles said. "These issues could very well land Sony BMG in some very hot legal water… I am not a lawyer… but I can say it doesn't look good for Sony. As a privacy advocate, I take real issue with the line that Sony now appears to be flirting on."
Towles and Schmehl said they've been keeping track of developments by reading the blog of researcher Mark Russinovich at Sysinternals.com. Russinovich, chief software architect and co-founder of Winternals Software in Austin, Texas, found the rootkit on his own machine and wrote up an analysis of it on his blog, setting off the controversy.
In his most recent entry, Russinovich detailed a response he got from First 4 Internet rebutting several of the issues he raised. "Instead of admitting fault for installing a rootkit and installing it without proper disclosure, both Sony and First 4 Internet claim innocence," he said. "By not coming clean they are making clear to any potential customers that they are a not only technically incompetent, but also dishonest."
"His analysis of their response is pretty devastating," Schmehl said. "He has now proven that you can crash Windows using their aries.sys driver, which contradicts what they claim. Furthermore, one of the commenters in one of the threads has discovered that you can rename a CD ripper using the First 4 Internet clocking technique ($sys$filename) and completely bypass their DRM protection."