Mark Russinovich, over at Sysinternals, has declared victory over the rootkit embedded in the CD’s Sony has distributed. And, as Bruce Schneier points out in his excellent analysis, Mark has reason to be happy. It’s David v. Goliath.
However, it’s not a total victory.
There are untold numbers of machines still infected with the Sony Rootkit, a lurking security flaw waiting to be exploited. A recall of the discs will not uninstall the software. At best, Sony will get back the unsold discs, plus a very small percentage of those in the wild.
Further, Sony’s own attempt to remove it leaves another security hole, an ActiveX control that can be exploited, too.
It will take years before the lawsuits play themselves out. As news of what Sony has done to consumers spreads beyond techies, I fully expect more lawsuits to be filed. In the next few days, I will look further at some of the legal theories propounded, including trespass to chattels. Not to mention, of course, Sony’s own potential liability under copyright for including the LAME MP3 encoder in the DRM software without complying with the terms of its license. What irony, Sony’s software to protect its copyrighted content may itself be in violation of the copyright of others.
Whether others will learn from Sony’s public relations nightmare has yet to be seen.