"continue to believe that the underlying problem is DRM. Many technologists and consumer advocates harbor a deep animus towards DRM, so Sony's technology failings are being held to a heightened standard."

This isn't the first time you've expressed this sentiment and initially I was inclined to agree. It certainly not something that can be dismissed out of hand since many technologists, myself included, are very fond of DRM. However, I think that its at best a secondary issue. Most of the discussion I've seen has barely mentioned the DRM and hasn't touched on any of the usual hot button issues associated with the DRM controversy. If you want to understand the anger coming out of the technology community over this, I think you need to focus on the rootkit (and the inability to remove software that had proven itself harmful to the system).

The following link (which I expect you are aware) describes the initial discovery of the rootkit.
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

Note that a substantial amount of effort was expended before it was discovered that it had any relationship to the DRM software and that the DRM aspects are hardly touched upon (and the author, in fact, expresses an ambivilant rather than openly hostile view). Up to this point, rootkits were not considered to have any legitimate purpose (and one might say that that view hasn't changed). What makes this worthy of note is not that its DRM software, but rather that the rootkit was installed as part of otherwise legitimate software package by a company with (at least until now) a good reputation. I'll touch upon the implications of that in a moment.

The core issue here is a users control over thier computer. Technologists, legitimately or not, are loathe to give up any control. A functioning rootkit makes it impossible for a user to have total control over his system. Diagnostics both manual and automatic, virus scanners and other security utilities, and any number of other forms of computer maintenance rely on the the system faithfully reporting its configuration. This is precisely what the rootkit is designed to prevent.

Another post from the same blog as above. I want to highlight a particular section:
http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html
Besides demonstrating the ineptitude of the First 4 Internet programmers, this flaw highlights my message that rootkits create reliability risks in addition to security risks. Because the software package that installed the rootkit is hidden when Windows is running (in this case Sony’s DRM software), and even if exposed not clearly identified, if an application triggers one of Aries.sys’s bugs a user would have no way of associating the driver responsible for the resulting crash with any software package they have installed on their system. The user would therefore be unable to conclusively diagnose the cause of the crash, check to see if they have the most recent version of the driver or of uninstalling the driver."

The problem here is not the result of a bug or sloppy coding but is inherent in the functioning of the software as designed. The only way to properly diagnose a system with a rootkit installed is to first disable the rootkit. This something that the people developing the software
obviously are going to be working to prevent since otherwise the rootkit isn't going be of any use to them.

I think the other major issue that is causing concern is the question "how can I as a user prevent rootkits from getting on my system?". Because while I would be reluctant to install the DRM package, I might be convinced in some circumstances. The rootkit, however, is a deal breaker. And the trouble is, absent a useful disclosure, there isn't any way to avoid it (nor is it easy, by design, to determine if one has been installed).

From the first article:
"Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug."

I think this is the crux of the matter. Up until this point the main to avoid malicious software (and a rootkit qualifies, if not legally, in the eyes of the technology community) was to deal only with trusted sources. There are few realistic alternative besides trusted sources to managing computer security. If the EULA is considered sufficient disclosure for what was installed then I am left with the conclusion that I must, for the security of my computer, assume that any DRM scheme will install software designed to compromise my system unless I am giving specific notice to the contrary. And I must look very carefully at any software that is likely to include such software and ask myself very carefully if I can live without it. That is a very troubling notion to deal with and it has very little to do with the politics of DRM.

Kevin, you make a lot of good points. However, I wonder--how many other "legitimate" software programs install rootkits, and what would be the response if those other programs involved something other than DRM? Or, if Sony installed DRM software that had all of the same consequences as this install but without using a rootkit--would the objections be the same?

I think it's a complex but potent combination of concerns driving the gripes against Sony--frustration with EULAs, users' lack of meaningful power to control their desktops, sloppy and intrusive software design and a DRM kicker. But given that all of the foregoing elements (other than DRM) are ubiquitous, I'm pointing the finger at DRM as the differentiator.

Thanks for the thoughtful and detailed comments. Eric.

Eric,

I can understand where you are coming from. I also believe that you need to read the following article:
http://blogs.zdnet.com/Spyware/?p=696

After installing a lot of other software packages I have not found any others that install root kits, other than malicious software, or software that has been modified with either a Trojan or with the rootkit in the exe file. I happen to be a desk side IT guy and studying to get my BS in information security. To be honest these types of illegal operations really scare the crap out of me. The biggest concern as posted in the article by Mark Russinovich for me is that I will have one of my users have this software install and then have problems which will cause them to loose productivity. After doing some more research on this, and with the help of a couple of friends, I have found that after installing the "legal" rootkit other software packages or malware software can be installed and hidden by this rootkit. I have read a post for World of Warcraft that basically had players writing how they could use this software to get around different security software packages in place to stop people from cheating. Here is the link that I read the information from:
http://www.wowsharp.net/forums/viewtopic.php?t=7251

One of my biggest concerns is that someone will use this software and then incorporate a virus or worm with it and now you have a completely silent killer/spy agent out there that no one knows about. There could be trillions of dollars worth of data stolen and or peoples lives compromised because of this. I think that Sony isn't just negligent. I believe that because they are the ones distributing a rootkit that they have full liability and need to be held accountable for sending out a software that is not only considered spyware by Kaspersky, an anti-virus software manufacturer, but as per the ZDNET article can cause damage to the system. Since this software does require either an expert in windows, and to a point in CD writing/functionality that it should be considered a virus or some kind of malware. I believe that we need to send a definite message to large companies that like Sony that they are not above the law when it comes to situations like this, even in an EULA.

Okay, I'm an applications developer on an internals or security guy, so my knowledge is not comprehensive. However, I don't believe that there have been any previous legitimate software installs to incorporate a rootkit. My understanding is that detection of a rootkit is taken as evidence that the system has been compromised. I think that the outcry we've seen is inevitable regardless of what kind of software that is being concealed (though I won't go so far as to claim that the fact that is DRM doesn't make it a bit louder).

The problem with the Sony software is not that it had DRM, but that it was a rootkit. A rootkit takes over an OS functions in such a way that it hides the attackers tracks. It is commonly used after a break-in on a server, to hide the fact that the break-in occured.

So Sony's DRM was not a normal application, which installs with the user's permission, does what it says, and is uninstallable.

They lied about what it was doing, altered Windows in a dangerous way, and also send information back whenever their CDs are played.

In my way of thinking, that is clearly computer trespass, and illegal. Some call it spyware, but it goes way beyond spyware, it is an attack on the consumer's computer, plain and simple.

So your comments justifying this leave me wondering how much you know about computer security?

Just wanted to add a couple points to the discussion:

A rootkit is a piece of software that alters core OS functions in order to hide files, running programs and registry keys. There are a few examples of legitimate software, like anti-virus programs (to protect themselves against viruses that try to disable antivirus protection) and virtual CD drives that employ some rootkit-like techniques. But before Sony XCP DRM, I have never seen any 'legitimate' software that contains a full-blown rootkit.

Unlike regular application software, where a bug will only terminate the application, a rootkit alters the core OS. Any bug in a rootkit can cause the dreaded blue screen of death. Unfortunately, XCP is buggy. If you had done a google for 'aries.sys' (the rootkit part of XCP) before the media storm, you would have found a lot of forum posts by people complaining about bluescreens and trying to figure out where it came from. It seems XP Media Center is particularly prone to crashes caused by aries.sys, and the situation for the latest beta of the next version of Windows - Vista - is even worse. "breaks Vista spectacularly", was the comment from F-secure, an anti-virus company.

Combine this with a less than up-front EULA, Sony officially claiming that there is no problem, the fact that detective work was needed to discover where the software came from, the contorted process required to get the uninstall tool, and the fact that XCP is more about putting pressure on Apple in a business dispute than about stopping illegal copying...

Oh, and no mention in the software itself or any accompanying help-files on how to contact Sony in order to uninstall XCP. That information was given to journalists in a press release, but is not included on the music CDs.

*That* is why Mark and others are blowing a gasket. Not because of DRM. He is still updating his blog with more information, btw. http://www.sysinternals.com/blog/

Yeah, you have the "information wants to be free" crowd joining in, but that's really a side issue.

As a media duplicator we were dragged into this...

This is actually Round 2. Sony took it upon themselves too create the "key" in an attempt too protect their share of a market place. When we first saw the code, 9 months ago, Sony told us it was "copy right protection code". An effort at weeding out the pirates. Once we discovered the "uninstalled" portion, we had a feeling they crossed the line.

Being on the lower end of the food chain, what can you do? It's SONY... Like they don't have money too tie-up our court system. They simply stay the course of addressing "illegal copies"
protecting market share. Once every quarter they make announcements of un-covering the source of lost revenue, showing the industry is not doing anything.

What we fail too understand is the belief by bringing them (Sony) to court this will change.
Review the whole board, Sony is more concerned about China. Do not underestimate the lengths they will go too protect what "Sony thinks" is theirs. Do not buy Sony products until they change the code. Sorry that would be too hard.

I just wonder what would eventually happen if Mark had not discovered this issue and made the announcement.

In August, way before Mark, this had been discovered but did not have the media attention it got this time. (http://castlecops.com/print-1-130470.html).

If it had not gotten the attention it got with Mark, those trojans out today might not have been discovered.
In a way, I think Sony should thank Mark for raising the rootkit issue or Sony could have even more problems had the problem been discovered after millions of computers had been infected and billions of dollars lost because they failed to fully disclose what their software was actually doing.

As others have mentioned, Sony's (or rather, First4's) software isn't just "ineptware," suggesting some sloppily written application and nothing more.

It is potentially dangerous "sneakware," employing a rootkit. This is serious stuff, and Sony deserves all the backlash it is currently receiving for it. The software developers were not just ineptly writing something that functions as a rootkit. They were not just unknowingly sloppy when they wrote software that cannot be uninstalled by any normal means. They were not simply amateurish coders when they created software that installs a rootkit but makes no mention of that fact in the user agreement.

The best part of this entire saga is how it so thoroughly blew up in Sony's face, to the point of their now recalling the offending CDs. And then, even better than that is the news that the product incorporates technology based on LAME (the MP3 encoder) which is in violation of LAME's licensing agreement. So Sony's DRM product, which is intended to protect copyrighted material, violates copyrights itself. What irony!