14 November 2005

So Long, Sony

Sony destroyed the last advantages legitimate content distribution had left.

Legitimate content usually costs more, and is often more restrictive about how it can be used; DRM is, after all, an artificial attempt to destroy the natural advantages of the digital age.

Plus it's more difficult to get. The media companies could have beaten peer-to-peer networks at their own game, by saying: "Here's the one place in the world where you can get direct access to every work by our artists that has ever been released, directly from a trusted, efficient server". But no, it's still "we own the rights to everything, but most of what you want we will not supply because we have decided to delete that from out catalog as not being financially worth our while".

So the only positive things left to say are: "Get your material from us, so you know you won't get attacked by viruses", or "Buy it from us, because it's the right thing to do".

Yet no virus writer has been able to escalate risk as severely as Sony, where something that is not even supposed to be a "computer disk" (thus representing the lowest expected risk possible) actually plants an open-for-exploit rootkit on the PC (which is about as high a risk as possible) - and then have the sheer arrogance to deliberately build that into mass-manufactured goods that folks pay for in good faith.

We aren't talking about some bad guy forging product, or intercepting and tampering with it, e.g. by injecting poison into over-the-counter headache pills and putting them back on the shelf. This is actually built into the product at the factory. We've never seen that level of evil before, when it comes to maliciously exploiting users via Social Engineering.

And Sony has no remorse; the response has been "What's the big deal? Most consumers wouldn't know what a 'rootkit' is, anyway". Well, folks who bought poisoned headache pills may not understand the biochemistry involved, but they do feel the pain.

So - if you want to listen to music without risking exposure to malware, buying a legitimate CD may now be the last thing you want to do. And when it comes to doing the "right thing", does it do to reward the most evil exploitation of trust consumerland has seen yet?

"Sony Is Not An IT Company"

I've watched some IT folks attempt to defend what Sony has done in various ways, and one of these is what I call the "forgive them, for they know not what they do" argument. But there's no good results down that road - either Sony is indeed ignorant of IT principles (in which case, should they be considered fit to stealth code into "data" products?). or they know exactly what they are doing, and thus clearly demonstrated they are unfit to be trusted.

Sony releases all manner of things under thier brand, including IT products. If they are happy to leverage the brand association, then they can't disassociate themselves from the fallout.

Would you buy or resell Sony DVD writers and other optical drives? Would you trust the software bundled with Sony digital cameras, media playing devices, etc.?

Trusted Computing can fail at any one of several layers, and it's no good worrying about the deepest of these (program code, hardware, etc.) if the topmost layer is blown away. Trusted Computing is going to be designed and built by entities who have proven they cannot be trusted, out of materials (code, even hardware) that are notoriously prone to insane behavior.

When audio CDs drop rootkits on PCs, "documents" auto-run macros, and JPEG image files run as raw code through some deep code bug, you don't have to look far to understand why we are scratching at the door to escape whenever we hear the term "Trusted Computing".

Moral: Never code anything bigger than your own head.

Calling All Activists

This Sony rootkit issue is a big storm in our little teacup of Information Technology, but every client I've spoken to, hasn't even heard about it - and this includes several folks who are normally quite socio-politically aware.

All too often, the activists leave the geeky stuff to us - and as techno-geeks, we leave the politics to the activists, politicians and lawyers. Then when they do try to legislate or regulate our technological world, we smugly point out how poorly they understand this world, and thus imply they are unfit to do so. Result: The engine's running full speed, but there's no hand on the rudder - is it any wonder the ship gets hijacked?

All over the world, societies and nations have balanced the need for creditors to recover debts, with the rights of the indebited. We generally do not allow creditors to send their goons to smash into your house and search it for what they accuse the debtor of having appropriated.

IT corporations are used to writing their own laws (EULAs and warranties basically exist to trump common law principles), and what Sony has done is a natural extension of this - though the sheer scale and arrogance beggars belief. They haven't released a virus that infects existing content, but built it into the product, and this malware runs roughshod over whatever laws might apply wherever that content goes.

And no-one has questioned their right to do this, instead muttering only about the methods involved. But step back and look at the big picture; Sony is "defending" a US$20 transaction, at the cost of your computer installation that's worth... what? The value's potentially unbounded; the PC may be worth US$500, but what you do on it could be worth far more; Sony doesn't care about the details, and would expect to be absolved of responsibility for any consequent damage.

The rights you save, may be your own.