Skip to Content
Uncategorized

Rooting Out Sony’s Rootkit

Why you should care about the decade’s worst digital rights management debacle.
May 18, 2006

My feature story “Inside the Spyware Scandal” – published this week in TR’s print magazine and here on our website – asks how the world’s second-largest record label, Sony BMG, became one of the world’s largest distributors of malware.

Fifty-two Sony BMG CDs released last year carried the notice “Content Enhanced & Protected.” The main “enhancement”: a proprietary player program that restricted owners of the CDs to ripping and burning no more than three digital copies of the music. (Those copies were “sterile,” meaning they couldn’t be copied again, and they were in Windows Media format, meaning they couldn’t be played on the most popular mobile music player, the iPod.)

The player software, which users had to install in order to listen to the CDs, secretly placed a hacker tool called a “rootkit” on users’ hard drives as a way of cloaking key elements of the copy-protection system against prying eyes and tampering.

The cloaking technique was highly effective. In fact, it was too clever by half. The problem – which went unnoticed by Sony BMG or anyone else for 10 months – was that a rootkit amounts to a haven for anything hackers might want to hide, such as viruses, worms, and Trojan horse programs.

Other software on the CDs transmitted a computer’s Internet address to Sony BMG whenever a user loaded a disc. Once security experts discovered the rootkit and the “phone home” behavior – and exactly how that mystery unfolded is the core of my story – consumers who had bought the CDs were understandably outraged by what they saw as an invasion of their privacy and property. So were advocates of freedom of information in the digital world, such as the indefatigable attorneys at the Electronic Frontier Foundation.

But why should you care about Sony BMG’s blunder? 

* Because when you buy music on a CD, you expect to be able to listen to it wherever you like.

* Because when you install software on your computer, you expect it to behave politely, not invite viruses and worms and Trojan horses to take over your machine and infect others’.

* Because you probably don’t want that same software reporting your Internet address to the recording studio every time you listen to a CD on your computer.

* Because you benefit from the free flow of ideas bolstered by the “fair use” provisions of U.S. copyright law.

* Because you believe in a thriving culture industry – and you don’t want to see the mutually profitable exchange of great content between creators and consumers slowed by a coagulation of ill-conceived digital rights management technologies.

If you’re concerned about the future of art and literature in the digital age, I urge you to read my piece and leave your comments – and to think twice before buying your next “Enhanced & Protected” CD.

More discussion to come.

Deep Dive

Uncategorized

Embracing CX in the metaverse

More than just meeting customers where they are, the metaverse offers opportunities to transform customer experience.

Identity protection is key to metaverse innovation

As immersive experiences in the metaverse become more sophisticated, so does the threat landscape.

The modern enterprise imaging and data value chain

For both patients and providers, intelligent, interoperable, and open workflow solutions will make all the difference.

Scientists have created synthetic mouse embryos with developed brains

The stem-cell-derived embryos could shed new light on the earliest stages of human pregnancy.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.