The Rootkit of All Evil

SONY BMG can take two lessons from its recent wayward attempt to fend off digital piracy: One, in a world of technology-astute bloggers, it's not easy to get away with secretly infecting your customers' computers with potentially malicious code. And two, as many a politician has learned, explaining your own screw-up badly is often worse than the screw-up itself.

Skip to next paragraph

Mark's Sysinternals Blog: "Sony, Rootkits and Digital Rights Management Gone Too Far" Boingboing's Roundup of Coverage Wired News: The Coverup is the Crime Wired News: Boycott Sony NPR: Sony Music CDs Under Fire From Privacy Advocates Sony's Note to Customers Slate: "Digital Rights Mismanagement" Wall Street Journal: "What the In-Crowd Knows" Paidcontent.org Adrants Moviefone Bot: Zen Master?

Or as Wired News put it, "The Cover-Up Is the Crime."

It all started on Halloween, when Mark Russinovich, a computer security researcher, discovered that the antipiracy software that a Sony BMG CD had installed on his machine was based on a "rootkit." Rootkits are often used by malicious hackers to disguise spyware, malware and other nasty stuff. Removing one can do damage, even destroying an operating system. Mr. Russinovich posted his tale on his blog, sysinternals.com/blog, and the pile-on commenced.

Sony BMG responded by offering a piece of software it said would remove the rootkit, but at the same time said the rootkit was "not malicious and does not compromise security." Thomas Hesse, president of Sony BMG's Global Digital Business, went on National Public Radio to say that "most people, I think, don't even know what a rootkit is, so why should they care about it?"

Cory Doctorow on boingboing.net wrote: "What petulant jerks. Look, Sony, you got caught sleazing your customers' computers. Telling us that it wasn't so bad is just infuriating and insulting. An apology would have been better received."

Things grew worse for Sony BMG. The company angered many music fans with its complicated uninstall process, which required them to disclose their e-mail addresses and make multiple visits to sonybmg.com. (Several days later, researchers at Princeton asserted that the removal tool itself left computers vulnerable to attack, prompting Sony BMG to remove it temporarily.)

Antivirus companies said they had detected malicious software on the Internet that was aimed at the vulnerability created by the rootkit. Dan Goodin, a Wired News columnist, called for a boycott of Sony BMG.

This week, Sony BMG relented, somewhat, and announced a recall of all rootkit-containing CD's, in exchange for "clean" ones. Mr. Doctorow, less than impressed, called Sony BMG's statement "a non-apology apology."

PIRATE FIGHTERS Companies like Apple and Microsoft that offer downloadable music are also doing their part to make life tough for customers - by employing proprietary digital rights management schemes, Adam L. Penenberg writes in Slate (slate.com). What the world needs, Mr. Penenberg says, is a universal standard so that any song downloaded from any service can be played on any device. "Neither Apple nor Microsoft is hurt by music piracy," he writes. "Instead, they use it as a marketing ploy to force people to use their products. It doesn't have to be this way."

BIZ-BLOG GUIDE "No self-respecting industry these days is without a must-read blog," says The Wall Street Journal, which asked reporters to compile a list of 20 industry-specific blogs - from paidcontent.org, which mixes commentary and links with original reporting, to adrants.com, which offers short, pithy, sometimes biting commentary on the ad game. There are, of course, thousands more where that came from. But we've got you covered there.

I.M. THIS America Online arbitrarily decided that its Instant Messenger users should have bots in their buddy lists: Meet Moviefone and ShoppingBuddy, whether you want to or not. The bots, which users can "talk to" to get information, announced themselves via an instant message on Wednesday. Users who find them obnoxious are forced to delete them from their buddy lists. A blogger named Luke the Obscure decided to try out Moviefone, but found it infuriating. Their bizarre conversation ("I will crush you," says Luke. "Excellent," says the bot.) can be found at passivereactive.blogspot.com.

E-mail: whatsonline@nytimes.com.