Source files of fsfe.org, pdfreaders.org, freeyourandroid.org, ilovefs.org, drm.info, and test.fsfe.org. Contribute: https://fsfe.org/contribute/web/ https://fsfe.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

223 lines
11 KiB

<?xml version="1.0" encoding="UTF-8"?>
<html>
<version>1</version>
<head>
<title>Revisiting the Sony Rootkit fiasco</title>
</head>
<body class="article" microformats="h-entry">
<!-- Breadcumb -->
<p id="category"><a href="/activities/drm/">Digital Restriction Management</a></p>
<!-- / Breadcumb -->
<h1 class="p-name">Revisiting the Sony Rootkit</h1>
<div class="e-content">
<h2 id="introduction">Introduction</h2>
<p>Imagine someone buys a music CD in a store. They go home and put it into their
computer to listen to it. Without their knowledge, a program is installed. This
program secretly checks whether that person started a program to copy CDs, and if so,
forces them to stop. It also slows down their computer and opens security holes
which can be used by others to attack their own computer.</p>
<figure class="float-right">
<a href="http://static.fsf.org/nosvn/dbd/2012/day-against-drm/image2.png"><img src="/news/2015/graphics/hi-res-in-chains.png" alt="hi res version"/></a>
<figcaption>
<a href="#restrictions-pictures">See below for more restrictions pictures</a>
</figcaption>
</figure>
<p>That is what happened 10 years ago if you bought one of 25 million music CDs
from Sony. This attack by Sony on people's computers was discovered on 31
October 2005 and was later referred as the "Sony rootkit". It affected more
than 550,000 networks in more than one hundred countries, including thousands
of US military and defence networks.</p>
<p>Sony's rootkit provides a good example of what companies are willing to do to
restrict users' behaviour with technical means. Even though the Sony rootkit is
now 10 years old, hurtful digital restrictions are everywhere. They are shipped
in PCs, laptops, netbooks, ebook readers, audio players, cars, coffee machines,
and other devices. As Digital Restriction Management (DRM) prevents uses of the
device which the manufacturer does not intend, they can control and limit what
a general purpose computer may be used for. In case of IT devices with
internet access, they can alter these usage restrictions at any time without
even informing the device owner. As a result, IT manufacturers can take away at will
common rights owners of products usually receive.</p>
<blockquote><p>"Manufacturers should never be in a position where they
permanently control the devices they produce. Those who own a device, be it
individuals, companies, public or non-public organisations, should be the ones
who can control it and legally use it." say FSFE's president Matthias
Kirschner. "Such restrictions limit a sustained growth in the development and
use of software, for which unrestricted general purpose computers are
crucial."</p></blockquote>
<h2 id="what-sony-did">What Sony Did</h2>
<p>On 31 October 2005, tech security expert Mark Russinovich published his
discovery on <a href="http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx">
his blog</a> about a piece of spyware, known as a rootkit, that secretly
installed itself on his computer. He concluded that the rootkit was connected to the proprietary music
player that was included in Sony music CDs. The
hidden rootkit program was used to spy on users and their listening habits,
and share that information with Sony, as well as prevent other third
party audio programs from reading <a href="http://www.technologyreview.com/featuredstory/405741/inside-the-spyware-scandal/page/8/">the disk</a>.</p>
<p>In the process of spying, the rootkit<a href="https://freedom-to-tinker.com/blog/jhalderm/cd-drm-makes-computers-less-secure/">
created additional security flaws</a> which opened the doors for
other, more malicious attacks. Even if users detected the rootkit, safely
uninstalling it without damaging their computer was another problem.</p>
<p>In total, the rootkit was loaded onto <a href="https://w2.eff.org/IP/DRM/Sony-BMG/">
roughly 25 million CDs</a> and<a href="https://www.eff.org/deeplinks/2005/11/kaminsky-rootkit-causing-widespread-infection">
infected more than 550,000 networks in more than one hundred
countries, including thousands of US military and defence networks.</a></p>
<p>But Sony BMG's president, Thomas Hesse, dismissed the issue completely, and was
<a href="http://www.npr.org/templates/story/story.php?storyId=4989260">
quoted saying "Most people, I think, don't even know what a Rootkit is, so why
should they care about it?".</a> The press published what Sony was secretly
doing to people's personal property and Sony was forced to settle <a href="http://news.bbc.co.uk/2/hi/technology/4577536.stm">
numerous lawsuits</a> and repair customers' trust as soon as possible.</p>
<p>Despite the fallout of Sony's rootkit experiment, 10 years later restrictions
on users' personal property are more prevalent than ever. Restrictions are commonly found in
legitimately purchased ebooks, video game hardware, and all manner of
proprietary software. It has even found ways into our<a href="https://www.eff.org/deeplinks/2013/11/drm-cars-will-drive-consumers-crazy">
cars</a>, and <a href="http://www.wired.com/2015/05/keurig-k-cup-drm/">coffee machines</a>.
Even Steve Jobs lamented the forceful <a href="http://macdailynews.com/2007/02/06/apple_ceo_steve_jobs_posts_rare_open_letter_thoughts_on_music/">implementation of restriction software</a>,
software his own company was well known for using.</p>
<h2 id="The-computer:-a-general-purpose-machine">The computer: a general purpose machine</h2>
<p>Technological restrictions on the legitimate use of devices are dangerous
because they are slowly transforming our computers from being general purpose
machines with diverse capabilities, to being a singular device with limited
scope of power. Private companies limit computers' functionality because it is
better for business when users are locked in to a particular service
provider.</p>
<p>When users are locked in by restrictions from content providers and
oppressive copyright legislation, society suffers because people lose out on
the possibilities of innovating and experimenting with new products or services,
as well as their ability to fix and improve their own devices. By trying to
restrict the use of devices or content for one specific case (i.e. unauthorised
copying or to prevent outsiders from accessing the device), companies prevent
to use computer for all other legitimate purposes that users may be entitled
to.</p>
<p>This is a major obstacle for future innovations and destroys the computer
as a general purpose machine. Furthermore, these restrictions do not
differentiate between legitimate or illegal manipulations performed on the
computer by its users, imposing blanket constraints on everyone. As a
consequence, no one beside the manufacturer has control over machines that
control our lives, and the data stored on them.</p>
<h2 id="fsfe-demands">FSFE Demands</h2>
<p>FSFE's goal is to ensure that the owners of IT devices can always be in full
and sole control of them. For maintaining sustained growth in the development
and use of software, the broad availability of general purpose computers is
crucial.</p>
<ol>
<li>FSFE demands that before purchasing a device, <strong>buyers must be informed</strong>
concisely about the technical measures implemented in this device, as well as
the specific usage restrictions and their consequences for the owner.</li>
<li><a href="/news/2015/news-20150506-01.html">FSFE and other organisations
are calling on lawmakers to safeguard the right to tinker</a> for everyone.
The right to tinker makes sure that the owner of every device is allowed to
replace or supplement the software in that device if they so choose, thereby
empowering owners to control their own property. <strong>To ensure this protection,
FSFE asks the European Commission to propose legislation strengthening a computer
owner's rights, by requiring that every computer owner must be enabled to
modify and exchange the software and hardware on any computing device, and afterwards be allowed to sell it with those modifications.</strong></li>
<li> It is clear that any right to tinker must also be coupled with a legal
provision that allow circumvention of technological restrictions in
such cases.
<strong>For this reason, the FSFE asks
the Commission to propose legislation to ensure that consumers can make use of
digital goods which they have acquired within the full scope of copyright
exceptions and limitations.</strong></li>
</ol>
<h2 id="related-links">Related links</h2>
<ul>
<li><a href="http://www.defectivebydesign.org/">Defective By Design</a> - FSF's sideproject blog specifically against DRM</li>
<li><a href="https://www.eff.org/search/site/DRM">EFF's DRM info database</a> - EFF's database of all things DRM related</li>
<li><a href="http://boingboing.net/2005/11/14/sony-anticustomer-te.html">BoingBoing timeline</a> - covers major events following Russinovich's blog post</li>
<li><a href="http://www.technologyreview.com/featuredstory/405741/inside-the-spyware-scandal/">MIT Technology Review</a> - In depth article on the technology, companies, and fallout of Sony's rootkit</li>
<li><a href="/contribute/spreadtheword#drm-leaflet">DRM.info leaflets</a> - FSFE's leaflets on the dangers of DRM available for download or hard copy</li>
<li><a href="http://ftp5.gwdg.de/pub/linux/kde/extrafiles/akademy/2015/videos/Matthias%20Kirschner%20-%20An%20Endangered%20Species:%20The%20Computer%20as%20a%20Universal%20Machine.webm">Keynote on General Purpose Computing</a> - by FSFE President Matthias Kirschner</li>
</ul>
<h2 id="restrictions-pictures">Related pictures</h2>
<figure>
<a href="http://static.fsf.org/nosvn/dbd/2012/day-against-drm/image2.png"><img src="/news/2015/graphics/hi-res-in-chains.png" alt="hi-res in-chains"/></a>
<figcaption>
<a href="http://creativecommons.org/licenses/by-sa/3.0/">CC BY SA 3.0</a> by Brendan Mruk and Matt Lee.
<a href="http://static.fsf.org/nosvn/dbd/2012/day-against-drm/image2.png">Hi-res</a>
<a href="http://static.fsf.org/nosvn/dbd/2012/day-against-drm/in-chains.png">Low-res</a>
</figcaption>
</figure>
<figure>
<a href="http://www.geograph.org.uk/photo/3478665"><img src="/news/2015/graphics/Locked-library.jpg" alt="locked library"/></a>
<figcaption>
<a href="http://creativecommons.org/licenses/by-sa/2.0/">CC BY-SA 2.0</a> by Chris Downer
</figcaption>
</figure>
<figure>
<a href="https://pixabay.com/en/privacy-policy-data-security-445156/"><img src="/news/2015/graphics/Locked-CD.jpg" alt="locked cd"/></a>
<figcaption>
<a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0 1.0 Public Domain</a>
</figcaption>
</figure>
<figure>
<a href="https://pixabay.com/en/keyboard-sure-privacy-policy-castle-628703/"><img src="/news/2015/graphics/Locked-keyboard.jpg" alt="locked keyboard"/></a>
<figcaption>
<a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0 1.0 Public Domain</a>
</figcaption>
</figure>
</div>
</body>
<sidebar promo="our-work">
<!-- TODO update at the end to make sure it is correct -->
<h2>Table of Contents</h2>
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#what-sony-did">What Sony did</a></li>
<li><a href="#The-computer:-a-general-purpose-machine">The computer: A general purpose machine</a></li>
<li><a href="#fsfe-demands">FSFE demands</a></li>
<li><a href="#related-links">Related links</a></li>
<li><a href="#restrictions-pictures">Related pictures</a></li>
</ul>
</sidebar>
<tags>
</tags>
</html>
<!--
Local Variables: ***
mode: xml ***
End: ***
-->