Mark Russinovich, a software designer in Austin, Texas, wasn't too surprised to find something ghoulish lurking in his hard drive when he ran a routine virus check on Halloween. When he discovered it was a "rootkit" - a kind of software commonly used by viruses, spyware, and other "malware" to mask themselves among normal files - he chalked it up to the usual aggravating tricksters.

But when Mr. Russinovich, chief software architect for Winternals Software, did a thorough investigation he was shocked to find the source of the rootkit: a commercially produced music CD from Sony BMG. Not only that, but when he manually tried to erase the program, it disabled his computer's CD drive.

Russinovich posted his findings, in excruciating detail, on his weblog at sysinternals.com. His Van Zant album had automatically installed the rootkit to hide custom antipiracy software when he played the CD on his computer. The blogosphere erupted with invective. They accused Sony of using "hacker ware" and programming computers to spy on their owners - and possibly opening a "backdoor" for hackers on consumers' machines.

Sony's software was designed by British copyright protection firm First 4 Internet, which acknowledges a "theoretical" security risk posed by the rootkit. According to First 4 Internet CEO Matthew Gilliat-Smith, the rootkit application could create a secret backdoor for hackers. Sony has hastily posted a "patch" program to reveal the rootkit, but some say it doesn't go far enough.

"It definitely hit a nerve with a lot of people," says Russinovich. "I think part of it is the encroachment on our everyday lives, people being afraid that we're losing our right to privacy, our right to control our own property."

The discovery highlights the music industry's growing concern, even desperation, in the face of increasing competition from digital music sources and loss of income from piracy.

"These companies are trying to - in their effort to reduce copying - erode users' control over their own computers," says Ed Felton, a professor of computer science and public affairs at Princeton University in New Jersey. "I think we may continue to see problems like this. There are other companies that offer other kinds of copy-protection technologies, and there is a danger that they will stray across the line as well, or maybe even already have."

Part of Sony's antipirating strategy is that some of its music will play only with media software included on the CD. When a user inserts the CD, he or she is asked to consent to an "end user licensing agreement," for a Digital Rights Management (DRM) application. If the user agrees, the rootkit automatically installs and hides (or "cloaks") a suite of DRM software.

Page: 1 | 2