NEW: Sony is settling a class-action lawsuit in Canada over this stuff. Please check their page on the subject to see if you're a member of the class and entitled to a share of the settlement. See below for my earlier postings on this story.
You already heard that Sony was being sued by consumer advocates in New York, California, and Italy over its inclusion of intrusive, insecure DRM spyware on recent music discs. Now the Texas Attorney General is launching an enforcement action, too.
Let's recap: If you try to listen to the affected discs on your computer, they install the DRM software. They ask your permission to do so in a click-through, but they sometimes install the software anyway before you give permission and even if you say "no". (Note: Sony uses more than one DRM system; most of the links here refer to "XCP", but the one in the last sentence refers to "MediaMax"; it's not clear to me whether the same criticism applies to XCP.) They didn't necessarily have permission from the artists, although (under standard "all your base are belong to us" recording contracts) they probably didn't legally need it. The license agreement in which they ask for permission lies about what's actually being installed, and contains insane unconscionable terms.
The DRM software uses the same techniques used by malicious "rootkits" (it is not a rootkit itself, so I refuse to call it one) in order to avoid your detecting or removing it. It opens your system to attack by other parties, and trojans exploiting the vulnerability were observed in the wild.
A "patch" was released, but the patch only reveals the presence of the software without removing or securing it. The DRM software was found to include free LGPL libraries written by the community in violation of the license agreement on those libraries. It was later found to include GPL code, including some written by Jon Johansen of CSS fame.
Sony lied about the safety of the software in this press release. When I archived a copy of that release on November 15 it included the statement "This component [XCP] is not malicious and does not compromise security." - which was already widely known to be false as of the November 8 date of the press release. The release has since been edited to remove that sentence, but it remains dated November 8. They also claimed that if you don't know what a rootkit is, you shouldn't care. Makers of anti-spyware, anti-virus, and similar software started classifying the DRM as malware, but in some cases, only late and grudgingly; prompting stinging criticism from security expert Bruce Schneier.
After huge public outcry, a warning from the Department of Homeland Security, and lawsuits in California, New York, and Italy, Sony announced it would "suspend" production of the problematic discs without recalling them, and provided a Web-based uninstaller for the DRM software. The uninstaller opens even bigger security holes on your system if used. Sony later announced a recall. The uninstaller leaves behind other dangerous software on your system when used. The installer is difficult to use.
Sony is settling class-action lawsuits over this in the USA and Canada. Please, take some time to check whether you're entitled to a share of the settlement, and claim it if so. Class-action suits only work as a deterrant to corporate misbehaviour, if lots of victims claim their rights.
Sony should, and I hope will, pay dearly for its transgressions in this matter, but I hope we don't lose track of the real point. The real point is that DRM is intolerable. This was an especially intolerable form of DRM, but any DRM is intolerable; we, as users, should not tolerate DRM, period. A kinder, gentler DRM with the most serious holes of this one fixed would NOT be okay. There can be no acceptance of DRM at all.
Some clarification on my "it's not a rootkit" statement above, because I'm differing from other experts on this point: as far as I'm concerned, a root kit (I wouldn't normally run the term together into one word, but lots of people do) is an organized set of tools (a "kit") crackers upload to a cracked system in order to keep and use superuser ("root") access. It would typically include cloaking tools - to prevent the legitimate users from figuring out that anything is going on; security tools - to prevent other crackers from breaking in via the same vulnerabilities through which it was installed; utilities - to help do whatever dirty deeds were the purpose of breaking in in the first place; and possibly remote control tools - to help manage a "farm" of many compromised machines. The Sony DRM software in question here uses the same cloaking techniques used by some rootkits, and that's why people are calling it a "rootkit". But it isn't a rootkit, because its purpose, nefarious as it may be, has nothing to do with maintaining a cracker's root access to the machine. The uninstaller might arguably be a rootkit, because it creates and maintains a facility for Sony (or random crackers on the Net) to run arbitrary code. I'd prefer to call the DRM installer a "trojan": software that users voluntarily run, which serves secret purposes against the users' interests. It's also correct to call it "malware": a general term for almost any kind of evil software.