informa
/
Risk
Commentary

Sony Is Just As Bad As Music Pirates

Sony's latest response to the threat of music piracy is to engage in behavior every bit as bad as the pirates it's trying to protect itself from.
Sony's latest response to the threat of music piracy is to engage in behavior every bit as bad as the pirates it's trying to protect itself from.Sony BMG Music Entertainment decided that the threat of piracy was so severe that it needed to protect itself by installing hacker tools on customers' PCs that exposed those systems to massive security vulnerabilities.

Sony included hacker technology called a "rootkit" in the copy-protection software distributed along with one of its music titles. A rootkit is technology used by computer criminals to permit them to break into target systems. The rootkit is such a hairball to remove that security researchers recommended users not try to remove it themselves, but rather contact Sony to get instructions.

Sony countered by saying that the copy-protection software is harmless, and issuing a patch. Hackers, meanwhile, are making a mockery of Sony's claims, by distributing code that they calimed takes advantage of security holes opened by Sony's DRM.

And, as revealed today, the patch presents problems of its own; it can crash Windows.

The Sony software is, plain and simple, spyware, by any reasonable standard of the word. It installs itself without users' knowledge, it runs in stealth modee, it damages the user's system, and it resists removal.

Sony's tactic isn't just a problem for consumers; it's also a problem for business network managers. Employees often enjoy listening to music while at work, and an employee who innocently brings in a CD that's infected with Sony's copy-protection can open a security hole to the entire network.

Sony had no excuse for its behavior. The fact that some of its customers pirate music does not legitimize Sony's hacking into all its customers computers and exposing them to security holes. Sony needs to recall the infected media, confess it did wrong, apologize to customers, and make amends. Meanwhile, law enforcement authorities need to investigate whether Sony is in violation of civil and criminal laws against computer piracy. I'm no lawyer, but it sure looks from here like they are.

Update 11/9: The Electronic Frontier Foundation has released a partial list of what it claims are the CDs that sony has infected with its copy-protection software.

The titles include CDs by Celine Dion, Neil Diamond, Dion, and Ricky Martin. The EFF article also has tips on how you can tell if a CD you bought from Sony contains the copy protection.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5