I've been puzzling over how so many people in the UK and all over Europe got infected with Sony's rootkit, when Sony says it doesn't distribute those CDs in the UK. Then I had a thought. Doesn't Sony allow you to download music from its website? Is it possible that they have something rootkitting around in there too? Has anyone checked?
I mention it because of the statement made by the Department of Homeland Security official that if the bird flu happened to hit at the same time the rootkit was compromising millions of computers worldwide, it could be very serious indeed: "If we have an avian flu outbreak here and it is even half as bad as the 1918 flu, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is going to be a matter of life and death and we take it very seriously as well."
I couldn't find anyone writing about researching the digital downloads. So I went to Sony's site to buy some music to download, just to see what would happen. Notice you have a drop-down menu under Digital Downloads, where you choose a store. If you choose Sony Connect, there is a note "Must Be Installed." That's true for iTunes too, and Napster, and Real and everything else on the list. You need a player. So, what is in the Sony Connect player? Are we allowed to look? If not, could someone please do something about the DMCA before someone dies needlessly? Seriously. Is that fear why no one caught this rootkit for so long?
Sony Connect launched in July of 2004 in France, Germany and the UK, according to this The Register article, with other countries in Europe to follow later that year. That is a long time for a rootkit to be spreading with no one noticing. I understand that the antivirus companies as a group sold us out, and went along with Sony, but what about other security researchers? No one thought to check? Or no one dared to? The article also mentions that Sony Connect is located in Germany. I mention that for the lawyers out there.
I am not a lawyer, but I reasoned probably I was allowed to do what Mark Russinovich did, so I decided I'd buy something and download it and see what happened next. Note that this isn't legal advice. I am just explaining what I did, not what anyone else should or shouldn't do. But I hit a wall. You have to have Internet Explorer as your browser. Really. I'm wondering if anyone else has thought of this as another possible source of infection? Obviously there is some kind of tether on the download. This 2003 Wired article on Sony explains what Sony was planning and why:
Users of online services are offered only "tethered" downloads, which come with limitations on how files can be copied or burned to a CD, or transferred to a portable player. It's as if Macy's used anti-shoplifting tags to set limits on how many times your pants could be put in a suitcase or where you could go in them....
With OpenMG X, the version being developed, Sony will no longer set blanket rules for its own devices; it's created a digital rights management system that works on any manufacturer's hardware and allows the content owner to set the rules. Sony wants OpenMG X to be accepted across the entertainment industry - an ambition that puts it face-to-face with Microsoft. "The whole security/digital rights management/copyright arena is a critical battlefield," Stringer declares. "We're racing - racing - to get to a solution that has an open standard so that Microsoft doesn't waltz in and develop the audio-video operating system."
A digital rights management system isn't just a traffic cop; it's a powerful tool that gathers all kinds of information about consumers, from credit card numbers to listening habits, and dictates which devices can talk to the PC and how. Microsoft's DRM software, a key feature of its Windows Media platform, promises total flexibility for entertainment companies, and it's designed to work not just on PCs but with consumer gadgets like Sony's. "If it is the de facto standard for all digital rights management," says Stringer, "then at some point it migrates into all the networked devices, including the television set and everything else. Sony's nightmare is that the TV set becomes a monitor."
This puts Sony in a bind. Except for the Xbox, Microsoft doesn't really sell hardware. All it has to do is keep entertainment executives happy and watch them adopt its DRM platform. If Sony fails to offer every bondage option the entertainment folks can imagine for their customers, it opens the door for Microsoft to take control of its hardware.
Isn't that the problem here? That the entire world, not just software companies like Microsoft or hardware companies, like Sony partly is, but legislators too have caved in and have set everything up to satisfy the entertainment industry? And what it takes to satisfy them! We got a peek when the rootkit was revealed.
Then in 2004, The Register took a look at Sony Connect:
Sony's choice for format restricts consumers to its own hardware - a complaint the paper also makes about Apple, though at least iTunes does permit you to rip CDs to MP3 for transfer to other brands of player. Sony's SonicStage software does not support MP3 and "it defaults to storing music in an invisible, deeply buried sub-directory", the paper warns....
"Connect permits an unlimited number of transfers to portable players - except for songs from Warner Music Group's labels, which are restricted to three transfers. Ever," the paper reveals.
"Similar control-freak behaviour ensues when you move purchased songs to the other two PCs you're allotted at any one time: those copies lose all their transfer and CD-burning permissions. Sony says an upcoming software update will restore transfer rights, but not disc burning, to those copies."
Obviously, if it can do this, it is talking to Sony about you in some manner.
If anyone is researching this, no doubt they'll let us know eventually.
I know it's the right question. If you read Bruce Schneier's article on the stunning acing of all the anti-virus companies, their failure to either notice the rootkit (with the exception of F Secure) or to tell us about it, I think we can at least validly ask if this problem is a lot deeper than it originally seemed. And I sincerely hope someone who knows how and is allowed to is looking into more than just Sony's CDs.