That Time Sony Secretly Installed Rootkit Software on Hundreds of Thousands of Computers
To echo the sentiment of 2006 nerdcore single, Download This Song, the rise of computers, the internet, and MP3 technology made music a far more customer-centric medium, and boy do company’s hate that. Enter Sony and a rather misguided attempt to limit how consumers consumed music via secretly installing malware on possibly even millions of customer’s computers.
So what happened?
In 2005, Sony BMG (A joint venture of Sony Music Entertainment and Bertelsmann Music Group) released millions of CDs containing hidden copy protection software. Roughly 2 million CDs contained a piece of software known simply as XCP (which stood for Extended Copy Protection) while a further 20 million CDs contained something known as MediaMax CD-3.
While both pieces of software were functionally similar, mostly limiting a user’s ability to copy or rip songs from a given CD, they did have some minor differences- the key one being that, while XCP would only function with Windows based computers, MediaMax would work on both Mac systems and Windows ones. Another perhaps more worrying difference between the two pieces of software was that MediaMax would install hidden software on a user’s computer even if they refused to accept the prompted agreement that popped up when the CD was inserted into their computer, whereas XCP would simply eject the CD from the disk tray if a user refused to accept a similar licensing agreement, rendering the CD and music you paid for unplayable unless you agreed to severely limit how you used it. The early 2000s everybody.
If this didn’t seem backwards enough given, you know, you paid for the ability to play the music, an important thing to note is that neither licensing agreement made mention of the fact that the CD would install hidden, background software onto your computer. In fact, it wasn’t until a computer security researcher called Mark Russinovich was performing routine scans of his system that someone discovered a rather curious piece of software that somehow got on his system. After some digging, Russinovich discovered that the software had been developed by a British company called First 4 Internet, who’d been hired by Sony. Realising he’d bought a copy of the ironically named Get Right with the Man, published by Sony BMG, Russinovich quickly put 2 and 2 together and realised that the CD was the source of the rootkit.
After pouring through the CDs files, Russinovich discovered that not only had the incredibly invasive software been installed onto his system in hidden files that were virtually invisible to an ordinary user, but they also couldn’t actually be uninstalled by normal means. On top of that, Russinovich also discovered that simply deleting the files (a step he noted that would be the first thing most ordinary users would do if they ever actually realised they were there) completely crashed his computer.
If all this wasn’t bad enough, the key concern Russinovich had with the software, other than that it was invasive and offensively anti-consumer, is that it was, to quote him, “poorly written”, leaving it hugely open for abuse by malicious software. To explain in simple terms, the software basically made any file with, “$sys$” as the first characters in its name, invisible to both users and most anti-virus software of the time, meaning any virus or trojan could become totally undetectable simply by using that string of characters. As an example of how easily abusable this system was, shortly after the release of Russinovich findings, people playing World of Warcraft started using this to hide the fact that they were cheating from a dedicated anti-cheating program called the Warden.
As you can imagine for a company that thought so little of its customers that it even considered developing this software in the first place, their official response when the software was discovered was that they couldn’t understand why people cared since “most people don’t even know what a rootkit is“.
When the denizens of the internet as a whole, let’s just say did not respond well to this lackadaisical and anti-consumer response, they suddenly decided to release a program to uninstall XCP from systems. So all was fixed… Except the removal software didn’t actually work.
In a follow up article, Russinovich explained that the uninstaller not only exposed users to more potentially harmful software, but that it actually didn’t uninstall the software at all, instead it just decloaked it. Russinovich also found that the uninstaller would randomly make some computers crash and that it installed another piece of software that constantly sent information about your CD playing habits directly to Sony…
Obtaining the uninstaller was also a laughably farcical affair that involved filling out a form that included the purchasing information for the CD, reading through at least 3 different emails which took you to several different websites which required the installation of another piece of software just to view. Then to top it off, Sony put your email onto a bulk spam mailing list, because why the hell not. Sony also only made information about the installer available to the press and hid the link to it in a FAQ on their website that wasn’t advertised.
Luckily for people who had MediaMax installed on their systems, things were a little simpler and they could remove the software with a relatively simply command prompt or by drawing a black line around the edge of the CD with a marker pen prior to inserting it.
Unsurprisingly consumer advocate groups were a little annoyed with Sony and a class action law suit was filed against the company in 2005, entitling users who bought an offending CD to a free download or $7.50.
Sony also quietly recalled millions of CDs loaded with the software, costing them millions in lost revenue. The Federal Trade Commission also slammed Sony with a lawsuit for engaging in what they described as “unfair and deceptive business practises”, entitling users to a further $150 dollars if they had any demonstrable damage caused to their computers by the software or an attempt to remove it. The FTC also placed a number of restrictions on Sony, forcing them to label their products more clearly.
The media similarly raked Sony across the coals, with countless articles being written about the fiasco, causing severe amounts of negative press for the company and ironically bringing mass public attention to the issues of intrusive copy protection. As a final slap in the face, people pulling apart the software found that it, itself was technically in violation of copyright because it failed to give proper attribution to the open source software it used… However, none of those affected felt secure enough in their position to pursue proper legal recourse against Sony.
Of course, Sony’s stock before and after the ordeal went up almost 20%, so… boy we bet the board really learned their lesson on that one.
Whatever the case, to close, we think this not so subtle stab at Sony by Department of Homeland Security employee, Stewart Baker, sums up everyone’s thoughts quite succinctly: “It’s very important to remember that it’s your intellectual property — it’s not your computer.”
If you liked this article, you might also enjoy our new popular podcast, The BrainFood Show (iTunes, Spotify, Google Play Music, Feed), as well as:
- Who Invented the Computer Mouse?
- Why “C” is the Default Hard Drive Letter in Many Computers
- Who Invented Computer Passwords?
Bonus Fact:
Speaking of Sony and copyrights, Mister Rogers famously didn’t mind if people recorded his show with a VCR, arguing for people’s right to do so in a 1979 case Sony Corp. of America v. Universal City Studios, Inc. At the time, it was being argued by the opposition that this constituted a copyright infringement. Mr. Rogers was one of the few involved in television that did not believe so and felt people should be allowed to record programs.
The Supreme Court noted that Mr. Rogers’ testimony was a significant piece of evidence that helped lead them to their ultimate decision. Specifically, Mr. Rogers stated: “Some public stations, as well as commercial stations, program the ‘Neighborhood’ at hours when some children cannot use it… I have always felt that with the advent of all of this new technology that allows people to tape the ‘Neighborhood’ off-the-air, and I’m speaking for the ‘Neighborhood’ because that’s what I produce, that they then become much more active in the programming of their family’s television life. Very frankly, I am opposed to people being programmed by others. My whole approach in broadcasting has always been ‘You are an important person just the way you are. You can make healthy decisions.’ Maybe I’m going on too long, but I just feel that anything that allows a person to be more active in the control of his or her life, in a healthy way, is important.”
Expand for References- More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
- World of Warcraft hackers using Sony BMG rootkit
- Sony rootkit: The untold story
- Bush Administration to Sony: It’s your intellectual property — it’s not your computer.
- Sony’s long-term rootkit CD woes
- Sony Music CDs Under Fire from Privacy Advocates
- Sony settles ‘rootkit’ class action lawsuit
- Sony, Rootkits and Digital Rights Management Gone Too Far
- Sony BMG rootkit scandal: 5 years later
Share the Knowledge! |
This is exactly why, from 2005 onward, Sony has not and will not get one nickel from me.