Sony is in monumentally deep s**t.
There is no other possible way to describe the troubles facing Sony in the past few months. When the US Department of Homeland Security issues a direct statement warning Sony against the obvious security issues regarding software they are using, you know there is a serious problem. Who would have guessed that new Our Lady Peace CD sitting on your shelves could pose a serious security risk.
Unfortunately, this has become the case. You may or may not know this, but over the past few months Sony has faced growing legal troubles regarding a controversial software they used on a number of their CDs. Dubbed XCP, short for Extended Copy Protection, the software is a hidden application that automatically downloads to your system upon accepting the (3,000 word) End User License Agreement on the CD. Now, downloading unknown software is bad enough. But it doesn't end there.
Tech blogger Mark Russinovich revealed in posts on his website just what Sony was using for this software. You may have heard of rootkit programs. Recently they have come under fire for illegal use in online games like World of Warcraft, due to their near impossibility to track and irradiate. That should be a warning right there. Sony hired a UK based computer company to design this software, using the same rootkit tools hackers use to gain access to your system through malicious Trojans and spyware.
The infection (it is officially an infection now) was so bad that Microsoft, Symantec (Norton Antivirus), Apple, and the US Government (among others) have dubbed it everything from spyware to a Trojan to an out and out virus.
This software apparently tracks both your listening habits and IP address, sending this information back to Sony, allowing them to literally track your music movements. All this while restricting the play options of the CD. That would be bad enough, but to make things worse not only does the software cause major system errors (such as crashes, deletion of random files) but it opened your computer to numerous security risks. Upon attempted deletion (which, technically according to the wording of the EULA, is illegal despite it being an obvious breach of the same agreement) there were cases where it would actually disable your CD drive.
Sure sounds like a malicious file to me, Sony.
For a while they refused to comment, offering a free patch and uninstaller on their website. All the patch did was unhide the software. That's right, the files were hidden files located in an irremovable folder within your system. Rather than solver any problems it actually opened computers up to a host of new security issues.
The same could be said for the uninstaller. However, to get it you actually had to ask Sony for permission. That's right, you had to ask a company for permission to remove the hidden spyware software that THEY secretly downloaded to your system. First you were required to fill out a form and send it in, with simple information like where you got it and the name of the CD. It also required your email address, which according to them would be given to third parties who would be free to contact you directly. And you had no choice. If you didn't provide a valid email you wouldn't get the email.
Not that it contained the uninstaller. It contained the patch, and information on how to get the uninstaller. Even had you received the uninstaller, reports varied in terms of damages. Most agreed that it opened your system up to even MORE risks. Skilled hackers were able to use the uninstall protocols to instantly access computers. Amazing how the hackers move faster than the company. Maybe they should consider hiring these people, instead of punishing paying consumers. But that's just me (and millions of other consumers). Who listens to me (and the millions of consumers). And even then, it didn't actually uninstall the program. You heard that correctly. You are forced to jump through hoops to give out personal information to unknown third parties and open your computer to even more security risks.
As another interesting note, the files would also not work on the Apple iPod. Apple is major competition for Sony, so that looks like a pretty obvious attack. So, Sony has decided that they're not going to play fair. I thought there were laws to make sure companies could compete in a fair and balanced marketplace? Isn't this was Microsoft is always getting into trouble for? If nothing else, they should be investigated for this as well. I don't care what they say, I have never had any trouble loading files into iTunes for upload to my iPod. They can say what they want, personally I think it's just them trying to divert attention from their own actions and lay blame on someone else entirely.
This was several weeks ago.
These past weeks Sony has not issued a formal apology for the troubles. They have, however, issued a full North American recall of ALL discs with the XCP software, have an east to find uninstaller in a prominent place on their website, and are offering free shipping and replacement CDs (either CDs in the mail or MP3 files through email, both completely unprotected). None of this at any cost to anyone. All production of the XCP CDs has halted, and new discs will be released sans infection.
Yes, it is officially an infection, according to everyone except Sony who have yet to make an official statement regarding this. Why, then, with such a mass recall do millions of these discs remain on store shelves? Because most stores don't even know about the recall. Many don't even know about the issue itself! How can they hope to accomplish ANYTHING at all with such a blanket of ignorance covering every bloody person involved?
Supposedly, while this infection is localized in the US only, over 40,000 cases have been reported in the UK. Which isn't quite as high as the supposed 2.1 MILLION infected units purchased in the US. Also somewhat interesting is the fact that, mere weeks after having announced that they had released the discs in the US only, over 120,000 units in Canada are confirmed to have the XCP program. Sony is doing a real bad job of keeping track of things. Each week there seems to be something new contradicting their official statements. Where is the next batch going to pop up?
A number of class action lawsuits have been filed in various places around the US, and more are expected to follow. In Texas, for example, because of new spyware laws and the sheer number of infected computers, Sony could stand to lose upwards of $100,000 per computer. With the estimated 2.1 million infected units sold in the US, they could stand to loose in the double digit billions if these lawsuits go through. At $100,000 a computer, even if half of the units result in a lawsuit it would cost Sony upwards of ten billion dollars. Because of the EULA multiple computers could not be used, so chances are there won't be many more infections than units sold. However, accurate numbers can not be confirmed because of the nature of the infection.
And all of this coming right before the launch of Sony's newest console, the Playstation 3. A MAJOR console release, and a massive move for Sony, and now they are facing losses in the billions depending on how things go. Not only does the Playstation 3 face losses, but consider that Sony is a major supporter of the Blu-Ray format, currently up against HD supported by Toshiba. How big of a hit will that format take if the major supporter is involved in such a massive controversy such as this? I can't help but wonder how much this will shake the confidence for a digital disc format they are the major supporters for. Bad move, Sony. In the realm of bad moves, this is one major son of a motherf**k up. I am talking so big the executives had better start redeeming themselves via falling upon blades. It will undoubtedly have major repercussions on copy protection and the RIAA involvement in digital music rights in the coming years, and lord knows what will happen to Sony.
Some links relevant to this issue:
List of Compact Discs with XCPInformation on Extended Copy Protection (XCP)Mark Russinovich's Website -- Includes link to his blog where the story first surfaced.
Information on the Sony Controversy -- Includes external links to relevant websites regarding this issue.
Electronic Frontier Foundation -- Have had some major coverage and articles.
Boycott Sony BlogCanadian Discs with XCPOfficial Sony UninstallerInformation About the Uninstaller (from Mark Russinovich's Website)Description of Trojan rootkitThanks to
theprodigalson for some of the links.