Sony has finally agreed to take back its rootkit-infected CDs. Visit this page for instructions on how to print out a pre-paid label you can use to exchange the affected CD for one that doesn’t contain XCP copy protection. (Interestingly, this and a similar page at Sony’s Web site represent the first official list of CDs that use the XCP software.)
No word yet on whether the replacement CDs will use another form of copy protection.
Meanwhile, Amazon is allowing its customers to return any XCP-infected CDs. This announcement appears on the order page for any Sony CD that includes the XCP software:
This Sony CD includes XCP digital rights management (DRM) software. Due to security concerns raised about the use of CDs containing this software on PCs, Sony has asked Amazon.com to remove all unsold CDs with XCP software from our store. If you have purchased this CD from Amazon.com, you may return it for a full refund regardless of whether the CD is opened or unopened, following our normal returns process. Simply indicate that the CD is “defective” as the reason for return.
Sony still has a long way to go. There’s no indication that they are actually accepting responsibility for their actions. They still have issued no apology or admission that they really, really screwed up. And they haven’t made any public contact with the people in the community who identified this problem. In a world run by sane people, someone at Sony would have been in contact with Mark Russinovich within 24 hours of the identification of this problem.
(Via Brian Krebs’ Security Fix blog.)
Ed Bott 
Take a look at that list to see just how clueless Sony is. Do they really think it’s necessary to go to such lengths to protect Bette Midler and Burt Bacharach CD’s? I expected to see some big-selling, popular artists on that list, you know, the ones that are being downloaded by the thousands (millions?) on file-sharing networks. The damage they’ve done to their reputation just to keep a Cyndi Lauper album from hitting Bit Torrent is absolutely hilarious.
Sony Latest hit song– 50 ways love your DRM.
— the problem is all inside your head, Sony said to me
the answer is easy if you take it logically.
i’d like to help you in your struggle to be free
there must be 50 ways to love your DRM.
Sony said it’s really not my habit to intrude
for the more i hope my meaning won’t be lost or misconstrued
so i repeat my self,at the risk of being cruel
there must be 50 ways to love your DRM
chorus:
just slip in the back,Jack
hide the new plan,Stan
you’ll need a decoy,Roy
just listen to me
close the bus,Gus
don’t need to discuss such
just drop in a key,Lee
and you’ll never be free.
Sony said it grieves me so to see you in such pain
i wish there was somthing i could do to make you smile again
i said,i appreciate that,
and would you please explain about the 50 ways.
Sony said,why don’t we both just sleep on it tonight
and i believe in the morning you’ll feel the bite
and then she kissed me and i realized her might
there must be 50 ways to love your DRM
chorus:
just slip in the back,Jack
hide the new plan,Stan
you’ll need a decoy,Roy
just listen to me
close the bus,Gus
don’t need to discuss such
just drop in a key,Lee
and you’ll never be free.
“No word yet on whether the replacement CDs will use another form of copy protection.”
According to Sony’s letter to “valued customers” — the one which lays the blame solely on First4Internet — “we are instituting a program that will allow consumers to exchange any CD with XCP software for the same CD without copy protection.” [emphasis added] I’m not sure I’d believe it, but that’s what they’re saying.
Ed,
Thanks for keeping this issue in the public eye. I would like to let you and your readers know about the extent of this issue. So I’ve started a Frappr map of those willing to identify themselves publicly as “victims” of the rootkit. [The map can be found at http://www.frappr.com/sonyxcpvictims%5D
-CyclingRoo-
“Texas Sues Sony Under Anti-Spyware Law” Yahoo news -today, nov 21 2005
Maybe Sony and GM can have drinks together and cry on each other’s shoulders about how the public is giving them the spankings they deserve.
I share your assessment that “Sony still has a long way to go.” In addition to the problems you raise, there’s also the question of whether and how Sony will provide meaningful notice to affected users. In http://www.benedelman.com/news/112105-1.html I show something of a novel approach — using Sony’s own “call-home” feature to send users a special banner ad describing the situation and users’ rights. Turns out Sony can do this with only a few lines of XML code placed on their web server. And I already ran a demo — using a HOSTS file to make one of my PCs look like Sony’s web server — to confirm that the banner system works as requird.
The fact that Texas has sued Sony is probably the very reason Sony will NOT publically accept responsibility. They don’t want thier public statements to be used against them in a court of law, in fact I’m suprised that they are saying and doing as much as they are. There is a very good chance the lawsuit will in the short term backfire. Sony will clam up and stop taking CD’s back and will not issue an uninstaller for the uninstaller for fear that any action they take that implies any culpability at all will spell doom for them in court.
The best bet for a short term resolution is for a third party to write an unofficial DRM system uninstaller and a DRM uninstaller uninstaller (no that wasn’t a typo) and release it as freeware. Someone like F-secure, Grisoft, Norton or McAfee should be in a good position to capitalize on the goodwill developed by that.
Sorry, Rorschach, I completely disagree. Sony has everything to gain in its lawsuit by exhibiting good faith at this point. It’s a civil lawsuit, not a criminal trial. Anything Sony does at this point that exhibits a willingness to undo the damage buttresses their claim that any damage they caused was unintentional. If they stonewall, they just provide more ammunition for the Texas AG.
Ed,
if that’s the case, why the outrageous sum demanded by Texas for each violation? That’s large enough to make Sony go under–of course they are going to fight it and make sure that they say or do nothing that implies culpability.
Ben,
What a great idea!!! I hope it gets “discovered”!
Jake, when you file a civil suit, you ask for the maximum damages to get the other side’s attention. The actual damages would be set by a jury (subject to approval by a judge) if it goes to trial, or a settlement (much lower, presumably) would be negotiated.
I’m betting that Sony’s working on its settlement terms now. They do not want this lawsuit to go forward. If they show reasonable actions, they’re in a better position to negotiate.
Of course, little they have done so far has been reasonable, so who knows what they will actually do.