More on Sony DRM and infected music CDs

Following up on what I just posted, it seems that Sony BMG is now being sued for damage their secret RootKit software has done to PCs:

Sony's now infamous decision to use system destabilizing DRM malware in order to "fight piracy" (despite it being shockingly easy to defeat) has earned Sony a lawsuit or three. A new class action suit has been filed in Los Angeles Superior Court, another is expected in New York this week, and there have been a handful of rumblings in other countries, as well.

In California, the class action suit alleges that Sony's DRM has caused harm to computers, and that the company failed to disclose precisely what the DRM technology would do to users' computers. According to sources, the suit alleges three distinct violations of California law, including violations of statutes relating to deceptive trade practices and obfuscated technological measures deemed to be anti-consumer. The suit seeks an injunction against the sale of the effected CDs as well as monetary damages for those who purchased the discs.

The Electronic Frontier Foundation also is considering legal action and is seeking information from affected customers.

What's more, now the "Stinx-E trojan" has appeared to exploit the Sony DRM software's code to open a back door to PCs.

And not only that, Mark Russinovich reports that the DRM software itself is harder to uninstall than many malicious viruses.

What's even more, Cory at BoingBoing links to Darren Dittrich's report that the Sony CDs also infect Macs:

I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.

Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.

EFF has a partial list of infected CDs:

Trey Anastasio, Shine (Columbia)

Celine Dion, On ne Change Pas (Epic)

Neil Diamond, 12 Songs (Columbia)

Our Lady Peace, Healthy in Paranoid Times (Columbia)

Chris Botti, To Love Again (Columbia)

Van Zant, Get Right with the Man (Columbia)

Switchfoot, Nothing is Sound (Columbia)

The Coral, The Invisible Invasion (Columbia)

Acceptance, Phantoms (Columbia)

Susie Suh, Susie Suh (Epic)

Amerie, Touch (Columbia)

Life of Agony, Broken Valley (Epic)

Horace Silver Quintet, Silver's Blue (Epic Legacy)

Gerry Mulligan, Jeru (Columbia Legacy)

Dexter Gordon, Manhattan Symphonie (Columbia Legacy)

The Bad Plus, Suspicious Activity (Columbia)

The Dead 60s, The Dead 60s (Epic)

Dion, The Essential Dion (Columbia Legacy)

Natasha Bedingfield, Unwritten (Epic)

Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)

Several other Sony-BMG CDs are protected with a different copy-protection technology, sourced from SunnComm, including:

My Morning Jacket, Z

Santana, All That I Am

Sarah McLachlan, Bloom Remix Album

They also tell you how to figure out if another CD is infected.

(Now I need to call my sister. I'd bought Santana's album, but didn't care for it and gave it to her. I'm glad I didn't pop it into my Mac first ... but she has a PC. Ack!)

David Berlind on ZDNet notes that the bands whose CDs are being sold with the crippleware are not happy about it:

Z isn't the only band that's upset with the latest DRM developments. Last month, reported how a member of the band Switchfoot whose DRM-protected CD debuted at No. 3 on The Billboard 200 was equally disappointed. Said Switchfoot guitarist Tim Foreman, "We were horrified when we first heard about the new copy-protection policy…. It is heartbreaking to see our blood, sweat and tears over the past two years blurred by the confusion and frustration surrounding new technology."

Even more demonstrative of the control points afforded to any market leading or dominating solution, the CNN story goes onto describe how Sony BMG is aware of the problems when it comes to transferring music from its DRM-protected CDs to iPods and is "urging people who buy copy-protected titles to write to Apple and demand that the company license its FairPlay DRM for use with secure CDs." Even though Apple's Fairplay may not have a monopoly yet, the company is behaving very monopolistically, an issue I discuss in another blog entry that I posted today.

Molly Wood's CNET column last week expressed outrage at Sony's behavior:

But this--using the tactics of criminals to invade our PCs without our knowledge and to expose us to further attack, just so you can keep us from, say, burning a mix CD and giving it to our friends--this is beyond the pale. And as many news sources are beginning to point out, there's some reason to think it might also be illegal, under the U.S. Computer Fraud and Abuse Act.

From the realm of unintended consequences, jasonn wonders if anti-virus companies could be prosecuted for removing the DRM software:

The logical question, regarding the Sony rootkit scandal and the upcoming removal tools from antivirus companies, is when will the DOJ prosecute antivirus companies for violating the DMCA? It's not a question of whether or not they violate the law when they supply removal tools for Sony's rootkit, aka Digital Rights Management software, which now exposes PCs to a virus threat. The question is whether or not the government will apply the law.

Isaac.Eiland-Hall is astounded by all this:

I mean really—I can’t imagine they thought they could get away with this.

I tell you what—if I had Sony stock, I’d be selling it like no tomorrow—because that’s what they might have.

Perhaps the simplest and clearest response comes from over By the Bayou:

Nice going. Do they just really hate their customers? As I said before: this is why I almost never buy CDs anymore.

At the very least, I think this is just another demonstration on why Cluetrain-clued-in businesses and open source approaches to technology have bright futures.


Some years ago I knew a self-defined "gun nut," an acquaintance of a friend. He owned (what else?) a gun shop. He was worried that someone would come into his place of business and make off with the weapons. Instead of putting them into a vault as people often do these days, he decided to protect his establishment by having a loaded shotgun (not with just rock salt) pointed at the door (or many several, I never saw) where the perpetrator would enter. He described a set of pulleys that would active the shotgun as the door was pulled open.

I asked innocently (I was still in high school) if a fireman were to come through or the police responding to the break in and ended up getting killed? He was not pleased that I was not impressed with his protection of his property.

As to Sony, it does not matter if there is collateral damage so long as their interests are protected and perhaps it is unfair to use the extreme example of the "gun nut," but there is an issue of liability and moral responsibility.

Sony will probably get away with this, but these sorts of behaviors undermine the public trust and confidence in the products. Yes, there is a partial list above of CDs that are to be avoided, but it gets down to wanting to avoid ALL Sony products. I recently got a Sony DVD and I am worried that it has compromised my system.

It is a weird twist on Gresham's Law - that bad money drives out good. People hoard the real money and get rid of counterfeit money as quick as they can so all that circulates in counterfeit money. If people suspect some Sony products are bad, all Sony products will suffer.

Hurting the public is bad business.