In an interview on NPR recently, a Sony executive, in response to the clamor about Sony's questionable actions and inadequate response regarding its CD rootkit deployment, suggested that since most people don't know what a rootkit is, they had little reason to care about it. I think this takes the cake for the most arrogant comment I have ever heard from a top technology company executive!
Rootkits, by design, are virtually undetectable by anti-virus and anti-spam products. Even if they are detected, they integrate themselves so completely into the operating system that they are almost impossible to remove without going through a clean OS installation. Sony is already being sued on this, The California class-action suit (PDF court copy) is only one. There's another pending in New York, and another from abroad that I've read about so far. Don't be surprised to see more lawsuits. Sony, has in their arrogance and stupidity, created the classic Corporate Ethics 101 textbook example of attempting to solve a problem via subterfuge, and succeeding only in creating a much bigger problem.
The problem with Sony's rootkit is that once installed, it can hide any file, regardless of who puts it there. Meanwhile, the Trojan Stinx-E has been proliferating to take advantage of Sony's incredible blunder. The post distributing it also quotes Sony's now CEO as saying in 2001 that it would cheer him up to dispatch a virus to evidently punish those who illegally copy music.
The software, which Sony included on 20 or more recent CDs, gives no warning of the rootkit, nor does it inform users that it prompts PCs to contact a Sony website for updated lyrics or art, and in the process, reveals the user's internet address and details about how often the CD has been played. Another blatant violation of our privacy rights.
Obviously, if you get one of these Trojan files with an executable named "Article+Photos.exe" in the mail, don't click on it unless you really want a good reason to FDISK your hard drive and completely reinstall the works!
No matter what happens to Sony in the legal arena because of their incredible arrogance to the consumer who purchases their music CD's, the best way to handle this whole thing is to teach Sony (and it's arrogant corporate brethren) a quick lesson in Economics 101: DON'T BUY SONY.
That's my two cents!
Follow Up, Nov 15 2005: "From the frying pan into the Fire":
Sony BMG and the company that developed the antipiracy software, First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that uninstalls XCP.
But the uninstaller has created a new set of problems.
To get the uninstall program, users have to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet.
According to a Princeton analysis, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet.
"The consequences of the flaw are severe," the Princeton researchers said, "It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get."
There's much more to this story - the fact that researcher Dan Kaminsky found that 568,200 DNS servers knew about the Sony addresses, which means at least one compromised machine exists behind every one of them.
But the real protest should be by the artists whose work is represented on the BMG label. If I were one, I'd be voting with their feet to get away from Sony just as fast as I could.