Sony BMG Summary

Here is what has transpired so far in this debacle:

The DRM software Sony has been shipping on many CDs since April is cloaked with rootkit technology:

* Sony denies that the rootkit poses a security or reliability threat despite the obvious risks of both
* Sony claims that users don’t care about rootkits because they don’t know what a rootkit is
* The installation provides no way to safely uninstall the software
* Without obtaining consent from the user Sony’s player informs Sony every time it plays a “protected” CD

Sony has told the press that they’ve made a decloaking patch and uninstaller available to customers, however this still leaves the following problems:

* There is no way for customers to find the patch from Sony BMG’s main web page
* The patch decloaks in an unsafe manner that can crash Windows, despite my warning to the First 4 Internet developers
* Access to the uninstaller is gated by two forms and an ActiveX control
* The uninstaller is locked to a single computer, preventing deployment in a corporation

Consumers and antivirus companies are responding:

* F-Secure independently identified the rootkit and provides information on its site
* Computer Associates has labeled the Sony software “spyware”
* A lawfirm has filed a class action lawsuit on behalf of California consumers against Sony
* ALCEI-EFI, an Italian digital-rights advocacy group, has formally asked the Italian government to investigate Sony for possible Italian law violations.


I'm going to step away from this story (via the blog anyway) for now. I will post anything that's big when it breaks. Please visit Mark's Sysinternal's Blog for more up to date information.