For the most part, I’ve stayed away from this subject because it’s really complicated; much more so than the casual user or music listener really cares about. But it is important and it’s something everyone should have at least heard about. I wanted to have a better idea of what has really been going on before I tried to write about it. Most of the pages linked here are pretty technical in nature, but even if you gloss over the tech speak you can still get the gist. If I’ve misrepresented anything here, please let me know so I can correct it.

Starting some time ago, Sony started manufacturing CDs with new DRM software called XCP from First 4 Internet. The discs require you to install a special media player to listen on your computer, but there’s something more happening behind the scenes. This went generally unnoticed for quite some time, then F-Secure identified the software and finally Mark Russinovich made the problem well known. He ran a scan using some software he co-wrote and discovered evidence of a rootkit on his machine.

Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden.

This was a serious discovery, so naturally he started investigating. What he found was pretty scary. He linked a hidden process to the media player installed by a CD from Sony/BMG.

I closed the player and expected $sys$DRMServer’s CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just having the process active on my system. I launched Filemon and Regmon to see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system every two seconds, querying basic information about the files, including their size, eight times each scan. I was quickly losing respect for the developers of the software.

If I read that correctly, it’s scanning active processes eight times every two seconds. What purpose could that possibly serve?

But wait, there’s more. Mark wanted to remove the software from his computer. Sony claimed it was possible, and yet it was nowhere to be found in the Add/Remove Programs list, there was nothing about it on the Sony site (this is no longer the case), no help to be found at all. He took matters into his own hands and found that the software loads even in Safe Mode, meaning if something went wrong, you’d have a hell of a time fixing it. He was able to get it off his computer, only to find that his CD Drive had been disabled.

In the following few days, things have only gotten worse. Mark has made many more interesting discoveries and catalogued it all for us: Dangers and Phoning Home, First 4 Internet Responds, and his Uninstall Experience. I’d include more details here, but he’s already done a great job of that.

I’ve put together a summary of the information I’ve gathered from Mark and other articles on this issue.

• The EULA does not disclose the software’s use of cloaking and implies that it can be easily uninstalled (it cannot). It hides itself by modifying the Windows kernel without your permission. Sony denies the software poses a security threat.
• This rootkit can hide the DRM files as well as anything else set up to take advantage of it (think trojans, worms, and viruses). Sounds like a hacker’s dream come true.
• The hidden software scans your active processes constantly. 240 times per second. No one seems to know why.
• If you do manage to get the software off your computer it will disable your CD drive.
• Sony recently announced to the press that they were making an uninstall tool available, though they made no attempt to ensure their users knew about it. It is virtually hidden in the FAQ section of their website.
• Sony’s “patch” can lead to system crashes and data loss because of the way it removes the cloak.
• The rootkit has already been used to get around the World of Warcraft anti-cheat software and now new viruses are taking advantage of it.
• The Sony CD player establishes a connection to Sony’s site and tells them each time you listen to your protected CD. This behavior could be used to record the ID of a CD and the IP address of the person who played it, though there is no evidence of this. However, simply by logging standard server activity this information would likely be collected. Sony says they don’t use it.
• Uninstalling the software is a chore in itself with several hurdles to jump through. You have to tell them twice that you want to uninstall. Don’t forget the majority of users wouldn’t know they’d installed the software in the first place.
• The CDs are trouble for more than just Windows users; they affect Macs, too, though the software comes from a different vendor called Suncomm.
• This move by Sony likely breaks laws in many countries around the world. Sony claims the CDs have only shipped in the US, though this has already proven to be false.
• A class action lawsuit against Sony has been filed in the state of California. Expect more to follow.
• For now, Sony has halted production of the CDs but they have no plans to stop including it with their CDs.

Needless to say, this has people really upset for obvious reasons. I think it’s safe to say this takes the idiocy of DRM to a whole new level of “I can’t believe this.” I guess Sony figured that the only way to make DRM work was to hide it from the user. Maybe someday they’ll learn that you really can’t hide much from the public at all; there’s always a way around (a fundamental reason why DRM will never work). The worst part is that this software opens up a whole new issue with privacy and protection. The fact that Sony denies there is a problem is unforgivable. Their stories change each time new information is revealed which really leads me to believe they never thought anyone would figure out what they were doing. I’m not one to quickly start screaming about boycotts, but I will seriously think twice before I purchase another Sony product.