Sonys Second Rootkit DRM Patch Doesnt Hush Critics

By Paul F. Roberts  |  Posted 2005-11-08

Sonys Second Rootkit DRM Patch Doesnt Hush Critics

Sony Corp. released yet another patch for its maligned digital rights management software on Tuesday, as the company fended off barbs from computer security experts.

Sony is being criticized for installing stealth programs, known as "rootkits," which harvest information and make unauthorized updates to customers machines.

Researcher Mark Russinovichs analysis of Sonys new DRM technology put Sony and its partner, First 4 Internet Ltd., in the spotlight.

One week later, Russinovich used a Weblog entry Sunday to blast the companies response: a large and cumbersome software patch that Russinovich claims could harm Windows systems.

Read more here about what Sony is doing to help users remove its rootkit-like DRM.

Sony responded on Tuesday with a slimmed-down version of the same patch. But the change has done little to quiet critics.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Speaking with eWEEK, Russinovich repeated claims that Sony was transmitting data on its customers without properly informing them, and pushing copyright control software that could harm Microsoft Corp.s Windows systems.

The controversy over Sonys rights management technology, which it calls "sterile burning," erupted last week, after Russinovich discovered the cloaked software on his own computer and published a detailed analysis of it on his blog at

According to analysis by Russinovich and experts at other security companies like F-Secure Corp. and Computer Associates International Inc., the DRM technology manipulates the Windows core processing center, or "kernel," to make it almost totally undetectable on Windows systems and nearly impossible to remove without fouling Windows, he wrote.

Sony BMG acknowledged that the rootkit-style features are part of DRM technology that began shipping with CDs in 2005, and quickly released a software patch to disable it.

The company also posted instructions for obtaining a program that could remove the DRM technology altogether.

Neither Sony BMG nor First 4 responded to e-mail and phone requests for comment in time for this article.

Sony BMG has tried to fend off criticism from Russinovich and privacy advocates like Ed Felten, Professor of Computer Science and Public Affairs at Princeton University and creator of the Freedom to Tinker Web site.

Felten, Russinovich and others say the company did not provide adequate disclosure in its End User License Agreement about the stealth features, or come clean about activity that suggests that Sony is transmitting information about what CDs are being played on the customers computer back to servers at Sony BMG.

Next Page: Sony defends its DRM technology.

Sony Defends Its DRM


Sony BMG executives have defended the companys actions.

"Most people dont know what a rootkit is, so why should they care about it," Thomas Hesse, president of Sony BMGs global digital business, said in an interview with National Public Radio on Friday.

"The software is designed to protect CDs from unauthorized copying and ripping," he said.

Hesse also denied that Sony BMG is transmitting any information on its customers behavior.

In his blog at, Russinovich disputed those claims. According to Russinovich, both the DRM software and an Active X program, which Sony BMG asks customers to download to receive a DRM removal program, create encrypted communication tunnels back to Sony BMG servers.

Russinovich said he does not know what information is being transmitted in those communications, but claims that Sony is at least able to connect information on the CD that was purchased and the IP address of the machine playing it.

In a response to Russinovich, First 4 Internet said the player simply sends information on which CD is being played in order to display additional content, such as links to the artists Web site in a rotating banner in the media player program.

First 4 also dismissed as "conjecture" Russinovichs claims that the software could cause Windows to crash, prompting Russinovich to post an updated analysis with what he claims is proof that the First 4 rootkit features can cause Windows to fail ungracefully, including a "blue screen of death" that names the First 4 driver as the source of the sudden failure.

Speaking on Tuesday, Russinovich said Sony and First 4 have been keen to address criticism, but have taken few steps to actually ensure that customers who might have the DRM technology installed on their computers can remove it.

The main page of Sony BMGs Web site doesnt have any links or information to customers who installed the DRM technology.

Beyond that, individuals, including Russinovich, who submitted personal information through a Web-based form and installed an Active X component from First 4 Internet in order to receive a program to remove the DRM technology, still havent received the program that Sony promised, he said.

"The patch and uninstaller were mostly for the press, not the consumer," Russinovich said.

A U.K. film group joins with the government to push "widespread" DRM use. Click here to read more.

Sony BMG bungled by including the rootkit features with its CD to begin with, then dug itself in deeper through its response to the criticism of the program, said Sam Curry, Computer Associates Inc.s vice president of eTrust Security Management.

"Enough is enough. Sony is consistently failing to realize the rights of users and of corporate users," he said.

CA is adding detection for the First 4 cloaking technology to an update of its PestPatrol anti-spyware product on Nov. 12, and will label the program a "rootkit," Curry said.

Customers should be able to play Sony CDs using their preferred media player, not one dictated by the music company, Curry said.

"Customers bought [music] content, not software …Theyre not bargaining on their $2,000 PC being turned into a media extension for their $20 CD," he said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Rocket Fuel