More Sony Shennanigans

Oh, the fun just doesn’t stop with the Sony Corporation these days! An update on the Sony rootkit copy protection, regarding the offical uninstall proceedure as provided by Sony as told by the guy who was the originial discoverer of this wonderful corporate ‘fuck you!’:

“Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.”

A very apt and succinct quote that indicates just how assholish Sony is being about this whole thing.

Here’s a rundown on the steps needed to uninstall the rootkit via Official Channels:
1. Go to Sony’s “support” site
2. Through the use of mysterious incantations and sacrifices, ordain that Sony’s FAQ has the information you require (it’s not listed in any way — or even admitted to — on the main site; out of site out of mind)
3. Click on the Uninstall link
4. Fill out an obnoxious form with your email address and purchasing information, which also adds you to their marketing spam division
5. Wait for the email from Sony giving you a “Case ID”, which directs you to install the patch and then visit another page if you still really want to uninstall. Because, y’know, you might LIKE having a rootkit installed on your system.
6. Go to the page and install an Active-X control (yes, this means you MUST use IE to uninstall the rootkit) called CodeSupport.Ocx.
7. Fill out YET ANOTHER FORM with your Case ID and the reason you want this wonderful, feature-rich device that only helps you removed.
8. Get another email which tells you that someone will email you uninstall instructions within one business day.
9. Finally recieve a message from Sony with another link to go to for you own personal uninstallation page. Oh, and the email has a confidentiality agreement in it; can’t have you speading bad vibes about Master Sony, can we? Also, the uninstaller will expire in one week.
10. Go to the page and if the computer is the same one you actually filled out all this garbage on, it finally uninstalls the rootkit.

Yes, that’s right. You can’t fill out all the trash on a non-infected computer and expect it to work. It seems that First4Internet and Sony, geniuses that they are, send an encrypted message to Sony HQ detailing all the hardware on your system and giving it a hash ID. If you visit that “personalized” site with hardware that doesn’t match, you get an error message. This, of course, makes the official method pretty much useless for corporate users who may have dozens or hundreds of machines to take care of. Why does Sony need to make sure the same computer that said ‘I NEED TO UNINSTALL YOUR ROOTKIT, BIOTCH!’ is the same one that actually unininstalls it? There’s no technical reason; Sony is basically hoping people will give up after having to jump through all these hoops.

To add insult to injury, Sony has made no attempt to publicize the problem. They gave a half-hearted press release indicating the existence of the uninstaller, but it’s pretty much a cynical PR ploy. No attempt is made on their website, either the main on OR on the support site (which is the place you have to go to start the whole uninstall hoopla) to indicate that the rootkit exists. Someone who wasn’t aware of the problem but discovered it independently would be totally lost as to how to remove it.

Fortunately, security companies are starting to pick up the slack. Computer Associates, for instance, have now officially labeled the system as spyware and say about the woeful uninstaller: “Initial analysis shows the uninstaller verifying that it is on the same system which ran the initial ActiveX control as part of the uninstaller request process. This effectively prevents easy redistribution of the uninstaller, and requires everyone who wishes to receive the uninstaller to do so through Sony BMG’s official process, which involves releasing personally identifiable information for use by Sony BMG and undisclosed third parties.” In addition, they also recommend that you disable Autorun to prevent being infected in the first place.

This is generally a great idea, by the way. One of the very first things you should do with a Windows install is disable Autorun.

There is also a class action lawsuit being brought against Sony in California. And an Italian privacy group is trying to get the Italian government to investigate Sony on criminal grounds.

The real hilarious thing about this, though, is that — ironically — pirated MP3s are much safer than the official Sony CDs. Not only is the DRM not doing it’s job, it’s actively encouraging people to use a pirated version simply because it doesn’t try to infect your computer with a rootkit.

Sony needs a very hard spanking. And not the good kind.

References:
http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html
http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=76345
http://blogs.washingtonpost.com/securityfix/2005/11/calif_ny_lawsui.html
http://www.pcworld.com/news/article/0,aid,123454,00.asp