More on Sony's "DRM Rootkit"

A couple of days ago we posted a story about Sony DRM installing a rootkit. Since then we have seen many more stories on the subject that I thought were worth sharing. manno gave us a link to the inquirer and salemnic sent us a page from the washington post. smallfries gave us one from PC Pro. It's nice to see this story not getting lost in the cracks since the implications are gigantic.

Regardless of where this goes...

[Donniedarkness]

Even if this doesn't go to court, at least this is getting some attention... and ANY bad attention for DRM makes me happy.

... until removed or deleted.

[ArsenneLupin]

See that part about "the SOFTWARE will reside on YOUR COMPUTER until removed or deleted"?

... but they conveniently forget to point out that their software can't be removed or deleted by the common user...

So, technically they are in the clear (in the same way that they would be in the clear if they said "the SOFTWARE will reside on YOUR COMPUTER until pigs grow wings"), but what they are doing is still morally very wrong...

As far as being able to uninstall it via "add/remove programs", I wasn't aware that this made software dismissable via legal grounds.

It's just not a matter of failing to supply some user-friendly functionality to make it extra easy to uninstall.

Such functionality might take time to develop, and so a case could be made that the developper just didn't feal it worthwhile to spend the effort...

But in this case, the developers went out of their way to make it extra difficult to detect, let alone remove, their software. Even without Add/remove functionality, you could still remove the files and registry keys manually, if the software was just sloppy, rather than malicious. But in the present case, the software's files and reg keys are hidden, so you can't just remove them. And if you do find the trick how to de-activate the rootkit, removing the resources will break the OS if not done properly (disabled CD driver), meaning that for a normal user the only alternative is to reinstall the OS. Not nice!

Re:... until removed or deleted.

[Ender+Ryan]

I challenge your hypothesis.

The SOFTWARE is designed to hide itself, alters the functionality of the machine to the detriment of its performance and can cause it to malfunction(prevent CD/DVD readers/writers from working properly), opens up the machine to further attack, and finally reduces the stability of the machine. The EULA, which you cited, is intentionally vague and misleading, and certainly does not absolve Sony of responsibility for the above problems caused by their SOFTWARE. Also, just because it's in the EULA, sorta(!), does not make it legal. Sony is clearly being deceptive with these products and their EULA, and there are laws on the books to protect consumers from such action.

Furthermore, it is not a safe bet to assume an EULA is a binding contract, there is precedent both ways on this, it depends on the EULA and the judge's opinion, and there are all kinds of laws regarding contract validity.

Re:Hope it catches on

[mc900ftjesus]

For god's sake, yes. ./ we are all now responsible for spreading a new term "infected with DRM." A bad publicity spin is a better way to combat DRM than actaully explaing it to Joe Sixpack. The word infected implies that it's bad, christ I've met people who think viruses are like human viruses (no one makes them they just happen). Leave the tech speak at home, just dumb it down to three words: infected with DRM.

Boycotts are worthless...

[FellowConspirator]

... for stuff like this. If you care enough to REALLY do something about it, there are really only two things to do:

1. File a tip with the US Department of Homeland Security
   
   Intentionally or otherwise, what the program is exploiting a flaw in a popular operating system in a way that not only enables them to control access to the data on the CD -- which itself is illegal, but fat chance the government will help you with that -- but it in so doing opens up the machine to facile infection with illicit software which it will then actively cover up and make detectable only to very knowledgable users. If DHS is serious about cyber terrorism, they shouldn't be letting companies subvert the already weak security of the predominant operating system and prime them for becoming unwitting pawns in terrorist activity.
2. Develop a SafeDupe campaign.
   
   Make a simple flyer explaining what's happened and the implications and see if local record stores would be amenable to helping out. This could be as little as having them stuff an info packet in their bags, to leaving a stack of Live Linux CDs that do nothing but permit a user to duplicate a CD to CD-R without the offending software, or even have a "SafeDupe" day where a few people setup a table where purchasers can show proof of purchase and bring a blank CD to have it "SafeDuped" for them. Obviously, most record stores won't want to rock the boat, but a well-spoken and sincere person (armed with copies of coverage from the mainstream media talking about the problem) ought to be able to find at least one or two store managers with an ethical streak.
   
   It's perfectly legal to make such copies, and if you don't believe me, ask a lawyer or download the Bern Convention on Copyright and read it yourself.

And remember kids, calm, cool, and collected. No name calling, no vitriole. Attribute not malice where stupidty is explanation enough, etc. And do make sure that whatever you do is entirely on the up-and-up, transparent to everyone involved, and that the press and SonyMusic are well informed on the subject.