[FSFE PR][EN] Final version - Revisiting the Sony Rootkit fiasco 10 years later

Free Software Foundation Europe press at fsfeurope.org
Thu Oct 8 15:39:39 CEST 2015 

 = Revisiting the Sony Rootkit fiasco 10 years later =

Today the Free Software Foundation Europe looks back on the Sony rootkit
fiasco from 2005. This page outlines some facts about the rootkit and
how it was handled, as well as some context about what these kinds of
restrictions mean for the notion of computers as general purpose
machines. 31 October 2015 marks the 10 year anniversary of when the
rootkit was discovered, and in preparation for this day, we ask you all
to use this information and spread the word, not only about the Sony
rootkit, but about the dangers of digital restrictions on users'
freedoms everywhere.

[Read online: http://fsfe.org/activities/drm/sony-rootkit-fiasco.html ]


 == Table of Contents ==

 - Introduction
 - What Sony did
 - The computer: a general purpose machine
 - FSFE's demands
 - Press Contact / Interview partner
 - Related Links
 - Related Pictures
 - About Free Software Foundation Europe


 == Introduction ==

Imagine someone buys a music CD in a store. They go home and put it into
their computer to listen to it. Without their knowledge, a program is
installed. This program secretly checks whether that person started a
program to copy CDs, and if so, forces them to stop. It also slows down
their computer and opens security holes which can be used by others to
attack their own computer.

That is what happened 10 years ago if you bought one of 25 million music
CDs from Sony. This attack by Sony on people's computers was discovered
on 31 October 2005 and was later referred as the "Sony rootkit". It
affected more than 550,000 networks in more than one hundred countries,
including thousands of US military and defence networks.

Sony's rootkit provides a good example of what companies are willing to
do to restrict users' behaviour with technical means. Even though the
Sony rootkit is now 10 years old, hurtful digital restrictions are
everywhere. They are shipped in PCs, laptops, netbooks, ebook readers,
audio players, cars, coffee machines, and other devices. As Digital
Restriction Management (DRM) prevents uses of the device which the
manufacturer does not intend, they can control and limit what a general
purpose computer may be used for. In case of IT devices with internet
access, they can alter these usage restrictions at any time without even
informing the device owner. As a result, IT manufacturers can take away, 
at will, common rights owners of products usually receive.

  "Manufacturers should never be in a position where they permanently
  control the devices they produce. Those who own a device, be it
  individuals, companies, public or non-public organisations, should be
  the ones who can control it and legally use it." say FSFE's president
  Matthias Kirschner. "Such restrictions limit a sustained growth in the
  development and use of software, for which unrestricted general
  purpose computers are crucial."

 == What Sony Did ==

On 31 October 2005, tech security expert Mark Russinovich published his
discovery on his blog[1] about a piece of spyware, known as a rootkit,
that secretly installed itself on his computer. He concluded that the
rootkit was connected to the proprietary music player that was included
in Sony music CDs. The hidden rootkit program was used to spy on users
and their listening habits, and share that information with Sony, as
well as prevent other third party audio programs from reading the
disk[2].

In the process of spying, the rootkit created additional security
flaws[3] which opened the doors for other, more malicious attacks. Even
if users detected the rootkit, safely uninstalling it without damaging
their computer was another problem.

In total, the rootkit was loaded onto roughly 25 million CDs[4] and
infected more than 550,000 networks in more than one hundred countries,
including thousands of US military and defense networks[5].

But Sony BMG's president, Thomas Hesse, dismissed the issue completely,
and was quoted saying "Most people, I think, don't even know what a
Rootkit is, so why should they care about it?"[6]. The press published
what Sony was secretly doing to people's personal property and Sony was
forced to settle numerous lawsuits[7] and repair customers' trust as
soon as possible.

Despite the fallout of Sony's rootkit experiment, 10 years later
restrictions on users' personal property are more prevalent than ever.
Restrictions are commonly found in legitimately purchased ebooks, video
game hardware, and all manner of proprietary software. It has even found
ways into our cars[8], and coffee machines[9]. Even Steve Jobs lamented
the forceful implementation of restriction software[10], software his
own company was well known for using.


 == The computer: a general purpose machine ==

Technological restrictions on the legitimate use of devices are
dangerous because they are slowly transforming our computers from being
general purpose machines with diverse capabilities, to being a singular
device with limited scope of power. Private companies limit computers'
functionality because it is better for business when users are locked in
to a particular service provider.

When users are locked in by restrictions from content providers and
oppressive copyright legislation, society suffers because people lose
out on the possibilities of innovating and experimenting with new
products or services, as well as their ability to fix and improve their
own devices. By trying to restrict the use of devices or content for one
specific case (i.e. unauthorised copying or to prevent outsiders from
accessing the device), companies prevent to use computer for all other
legitimate purposes that users may be entitled to.

This is a major obstacle for future innovations and destroys the
computer as a general purpose machine. Furthermore, these restrictions
do not differentiate between legitimate or illegal manipulations
performed on the computer by its users, imposing blanket constraints on
everyone. As a consequence, no one beside the manufacturer has control
over machines that control our lives, and the data stored on them.

  "Try to build a kitchen knife which prevents others from killing
  someone with it. You cannot technically restrict one use case without
  restricting many others as well." says Matthias Kirschner.


 == FSFE Demands ==

FSFE's goal is to ensure that the owners of IT devices can always be in
full and sole control of them. For maintaining sustained growth in the
development and use of software, the broad availability of general
purpose computers is crucial.

1. FSFE demands that before purchasing a device, buyers must be informed
concisely about the technical measures implemented in this device, as
well as the specific usage restrictions and their consequences for the
owner.

2. FSFE and other organisations are calling on lawmakers to safeguard
the right to tinker for everyone. The right to tinker makes sure that
the owner of every device is allowed to replace or supplement the
software in that device if they so choose, thereby empowering owners to
control their own property. To ensure this protection, FSFE asks the
European Commission to propose legislation strengthening computer
owner's rights, by requiring that every computer owner must be enabled
to modify and exchange the software and hardware on any computing
device, and afterwards be allowed to sell it with those modifications.

3. It is clear that the right to tinker must also be coupled with a
legal provision that prevents technological restrictions of the same
right. For this reason the FSFE asks the Commission to propose
legislation to ensure that consumers can make use of digital goods which
they have acquired within the full scope of copyright exceptions and
limitations.


 == Press contact / interview partner ==

  Matthias Kirschner: press at fsfeurope.org (English, German)
  President Free Software Foundation Europe
  Schönhauser Allee 6/7, 10119 Berlin, Germany
  +49-30-27595290

If you would like to have an interview or answers to your questions in
another languages, please contact us, and we refer you to someone
speaking that language.


 == Related links ==

- Defective By Design - EFF's sideproject blog specifically against
  DRM <http://www.defectivebydesign.org/>

- EFF's DRM info database - EFF's database of all things DRM related
  <https://www.eff.org/search/site/DRM>

- BoingBoing timeline - covers major events following Russinovich's
  blog post <http://boingboing.net/2005/11/14/sony-anticustomer-te.html>

- MIT Technology Review - In depth article on the technology, companies,
  and fallout of Sony's rootkit
  <http://www.technologyreview.com/featuredstory/405741/inside-the-spyware-scandal/>

- DRM.info leaflets - FSFE's leaflets on the dangers of DRM available
  for download or hard copy
  <http://fsfe.org/contribute/spreadtheword#drm-leaflet>

- Keynote on General Purpose Computing - by FSFE President Matthias
  Kirschner <http://ftp5.gwdg.de/pub/linux/kde/extrafiles/akademy/2015/videos/Matthias%20Kirschner%20-%20An%20Endangered%20Species:%20The%20Computer%20as%20a%20Universal%20Machine.webm>


 == Related pictures ==

Related pictures under Creative Commons licenses are available on:
http://fsfe.org/activities/drm/sony-rootkit-fiasco.html#restrictions-pictures

 == References ==

  1. http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx
  2. http://www.technologyreview.com/featuredstory/405741/inside-the-spyware-scandal/page/8/
  3. https://freedom-to-tinker.com/blog/jhalderm/cd-drm-makes-computers-less-secure/
  4. https://w2.eff.org/IP/DRM/Sony-BMG/
  5. https://www.eff.org/deeplinks/2005/11/kaminsky-rootkit-causing-widespread-infection
  6. http://www.npr.org/templates/story/story.php?storyId=4989260
  7. http://news.bbc.co.uk/2/hi/technology/4577536.stm
  8. https://www.eff.org/deeplinks/2013/11/drm-cars-will-drive-consumers-crazy
  9. http://www.wired.com/2015/05/keurig-k-cup-drm/
 10. http://macdailynews.com/2007/02/06/apple_ceo_steve_jobs_posts_rare_open_letter_thoughts_on_music/

  == About the Free Software Foundation Europe ==

  Free Software Foundation Europe is a charity that empowers users to
  control technology. Software is deeply involved in all aspects of our
  lives; and it is important that this technology empowers rather than
  restricts us. Free Software gives everybody the rights to use,
  understand, adapt and share software. These rights help support other
  fundamental freedoms like freedom of speech, press and privacy.

  The FSFE helps individuals and organisations to understand how Free
  Software contributes to freedom, transparency, and self-determination.
  It enhances users' rights by abolishing barriers to Free Software
  adoption, encourage people to use and develop Free Software, and
  provide resources to enable everyone to further promote Free Software
  in Europe.

  http://fsfe.org/

More information about the Press-release mailing list