John Drake recently sent me the following e-mail about the debacle with the dangerous and intrusive rootkit installed with some of Sony’s music CDs. I haven’t paid much attention to the story, but I did check my recent CD purchases for any from Sony. (I didn’t have any, thankfully.) Although this story isn’t new news, but I thought I should pass it along for the sake of the non-geeks.

John writes:

I need to stay up with my news better, since this story is a couple weeks old. I’m not usually a scare mongrel but in this case, its warranted. For those of you have not heard yet, its recently been uncovered that Sony’s new copy protected CDs install a software program on your computer that opens your computer up to malicious attacks.

What’s worse is that there is no native way to uninstall this program, you must find and download a patch to do so (which itself may be open to vulnerabilities). There are some ethical issues surrounding Sony’s behavior as well, but more importantly, I want to alert my friends of the security vulnerabilities imposed by using these CDs.

To Sony’s credit, they have removed the vulnerable CDs from the shelves, but if you’ve bought any CDs from them lately you may be at risk.

I’ve cataloged more of the story on my blog including the technical vulnerabilities, some of the ethical issues, a link to the specific CDs in question, and how to get a replacement CD if you have purchased an infected one.

Feel free to pass this email around so that more people are aware of this problem.

Music companies ought to take all necessary and legitimate steps to protect their intellectual property, but hacking the computers of their customers is beyond the pale. It’s no better — and perhaps worse — than breaking into homes to rifle through CD collections and plant bugs while also sabotaging alarm systems. If Sony wants people to respect its property, it needs to learn to respect theirs.