dan > sony rootkit

In October 2005, Mark at Sysinternals discovered that Sony is placing malicious rootkit technology in some of its music CDs. A rootkit is "a set of tools frequently used...to conceal running processes and files or system data, which helps an intruder maintain access to a system for malicious purposes" (see Wikipedia).

Here's how it works: You buy a Sony/BMG music CD. The first time you insert it into your computer, it installs malicioius rootkit technology without your knowledge or consent. You won't even see it happen. The rootkit then takes over your computer and hides itself, in the same way that viruses, spyware, and trojan horses often do. Want to remove it? Sony says too bad. It is almost impossible to remove from your computer. (Update: Sony claims to have an "uninstaller," but it is ridiculously hard to obtain, and it's functionality is highly suspect.) The rootkit also creates huge security holes that could allow other intruders to more easily take over your computer. This is bad news. Very bad news. Forget all the work you've done in installing firewalls, anti-spyware, and anti-virus programs. Sony just snuck right past it all, dug its hooks into your computer, and won't let go. (Update: Computer Associates is leading the charge in correctly labelling Sony/BMG's technology as spyware.)

It's time to fight back!

What can you do about it?

Hit Sony where it hurts: in the wallet. Sony is all about turning a profit. I don't have a problem with that. We just need to cut them as deeply as possible so they learn this is not the way to win customers and increase profits. We can't let them get away with this. And even when they've stopped using rootkits, we must continue. We need to make this so bad for Sony that they have to become an advocate against these kinds of practices before they can get their good name back. Let's not ever let another company do this again.

Here's what you can do:

  1. Spread the word. Post about this in online forums. Tell your family and friends. Link to articles about Sony rootkits if you have a web site. Make a sign. Make a bumper sticker. When you think Sony, think sleezy practices. Think spyware. Think rootkits.

  2. Boycott Sony. Do this for at least six months or until Sony has repented. No more PSPs, PS2s, and no PS3s. No Sony cellphones. No Sony computers. No Sony videocameras. And no Sony music.

  3. Legal retribution. Start or join a lawsuit against Sony if you've been affected. Contact your local DA and file a criminal complaint against Sony Corporation for unauthorized intrusion into your computer. Contact your local congressional representative to request that laws be passed further resticting companies like Sony from doing this.

  4. Warn customers and vendors. Find sales/review sites of Sony products at online stores. Mod up any well-written reviews that mention Sony rootkits and encourage users to avoid the product. For example, go to Amazon.com listings for Sony music CDs with malicious rootkits. Write a concise review on how horrible you think the rootkit technology is, and give the product a one-star rating. Mark any such reviews that others have written as helpful.

    To get you started, try here, here, here, here, here, and here. Just think what effect this will have when the highest ranked comment on all those products warns customers of Sony's malicious tactics and your reviews push the CDs' ranking down to 1 or 2 stars. Mark as "not helpful" any reviews stating that we should judge the music, not the rootkit or "DRM policital mess" on the product page. They are wrong - we are rating the product, not the quality of the music. The product is what you buy and the product is what could destroy your computer. If you like the music, go rate it highly somewhere where the malicious rootkit technologies are not used, such as iTunes.

    Complain to the vendors of those products. Demand a refund, or write a letter or email. For example, in my opinion, the above products violate Amazon.com's policy on items that can be listed for sale. First, they may be "illegal items" since they install malicious rootkit software. Second, I believe they are "items that infringe upon an individual's privacy" since Sony/BMG won't give details on what the program does and it has been detected to send out information. There should be a Suggestions Box at the bottom of each of the above Amazon.com products that allows you to file a complaint.

    File a complaint with the Better Business Bureau and Consumer Affairs.

  5. Warn the artists. Write to any artists that you enjoy and tell them to stop allowing Sony to use such malicious tactics. Tell them you won't buy their music as long as Sony messes with your computer. If your favorite artists' CDs aren't malicious, thank them for this and let them know you'll continue to be a happy customer as long as it stays this way. It is unfortunate that innocent artists will lose sales due to Sony/BMG's malicious practices, but we need the artists fighting against Sony and demanding that malicious programs be removed from their audio CDs.

  6. Notify Sony. Let them know everything you've done, and your resolve to continue your boycott until they stop these practices and join us in the fight against this. Call them at 800.488.7669, fill out the feedback form on their site, email them at SonyMusicOnline@sonymusic.com, or write them at:

    	Sony Music Online
    	555 Madison Ave, 10th Fl
    	New York, NY 10022-3211
    

What if you already have a Sony/BMG CD? Check here to see if it has rootkit technology. If so, demand a refund from the store. If you can't return it, you can prevent the installer from running by holding down the shift key on your computer when you insert the CD. This blocks the auto-run feature. But you'll have to do it every time. Forget once, and you'll have a rootkit on your machine. You might want to consider disabling autorun altogether. Or better yet, avoid Sony/BMG products.

[Obligatory Disclaimer: I am not a lawyer and nothing on this page is meant to constitute legal advice.]


Image of email address (to protect from spam)
Last update: 09 November 2005.