I remember hearing a little about this when it happened, but not as much as I probably should have. I was reminded of it by a recent interview with Cory Doctorow, the science-fiction author and activist, in which he mentioned the secret Sony “rootkit” scheme, which the music and technology giant implemented in 2005 or so. Believe it or not, this involved Sony sending out tens of millions of music CDs with not one but two secret software programs on them. Both of these programs that were essentially what programmers call “rootkits,” meaning they gave Sony access to the deepest levels of a user’s operating system and allowed it to make changes without informing the owner.
As Doctorow explained, one of the programs that secretly installed itself actually changed the user’s operating system so that it couldn’t recognize any program that began with a specific string of characters, and then installed software that used that same string of characters in order to make it impossible to copy the content from the CD. The other secret program sent regular reports on the user’s listening habits to Sony without telling the computer’s owner. In a really killer twist, the software was configured to do this even if the user refused the the company’s end-user license agreement (EULA).
All of this was, to use Doctorow’s phrase, “radioactively illegal.” Sony initially denied that the rootkits were harmful, even though there was evidence that malicious software makers had used the vulnerability Sony’s software created to infect computers, since all they had to do was use the same string of characters to hide their programs. The software eventually spread until it infected more than 550,000 networks in more than one hundred countries, including thousands of US military and defence networks.
In a classic Sony move, the company released software that would supposedly uninstall one of the programs, but all it did was make the program’s files visible, and at the same time installed more software that was difficult or impossible to remove, and sent the user’s email address to Sony while also introducing further security vulnerabilities.
To further compound the fuckery, Sony also infringed copyright itself by using a number of open source software programs on the CDs — including the LAME MP3 encoder — which it either modified and/or used in ways that were not permitted by the licensors of those programs. The company was subsequently sued by several state attorneys-general, and by users in a class-action suit. It recalled the CDs and replaced them with uninfected discs, and settled with the state’s by paying fines and agreeing to never use such methods again.
Doctorow goes on to say that this kind of digital-rights management tactic may seem old-fashioned now, but plenty of companies keep trying similar things to prevent users from doing things they don’t like — including printer companies like HP, who use software to detect whether someone is using non-branded ink cartridges. All of these approaches introduce vulnerabilities that can be exploited. Cory provided just one example, from a presentation by a security researcher named Ang Cui:
“He showed that he could update the firmware of an HP printer by sending it a poison document. You just give, like, the HR department a document called resume.doc. And when they print it the printer’s firmware is updated silently and undetectably: it scans all future documents for Social Security numbers, and credit-card numbers, and sends them to him. It opens a reverse shell to his computer, through the corporate firewall, and then it scans all the computers on your lan for known vulnerabilities and takes them over.”