Sales of Sony 'rootkit' CDs Continue

In spite of a warning from the U.S. Department of Homeland Security Computer Emergency Readiness Team (www.us-cert.gov), some national retailers continue to sell music CDs containing the Sony 'rootkit' software. According US-CERT, this software "hides certain files from the user" and thus "can pose a security threat, as malware can take advantage of the ability to hide files."

Sony has listed more than 50 CD titles on its website. (www.sonybmg.com)

Since Thanksgiving day I visited four national retailers of CDs in my vicinity. All of them had 'rootkit' CDs available for sale. Employees at KMart, Walmart, and Circuit City were unaware of any corporate policy concerning the recall of these CDs. An employee of FYE stated that there was a voluntary recall, meaning that the customer had to initiate the return.

The Sony website (www.sonybmg.com) makes no mention of a 'recall'. What Sony is offering is an 'exchange' whereby the customer can swap affected CDs with CDs of the same title but without the XCP software. There is nothing to prevent Sony fom giving these customers CDs with the Sunncomm copy protection software.

Considering that lawsuits are being filed against Sony BMG, it seems surprising that these retailers would expose themselves to bad publicity and possible lawsuits. Sony seems to have no sense of corporate responsibility. Protection of profits seems more important than protection of its customers.