It all started innocently enough.  I have a Dell Axim X50v that makes a great music player.  OK, I'm over 40, way over 40, so I'm not into "cool" and really don't have any interest in be-bopping or dancing down the street, so I don't have an iPod. Most of what I play is pretty "lame" by today's standards; my idea of classic rock harkens back to my high school and college days and some one-hit wonders nobody today would remember.  My wife got me interested in country music (and western, too) and I have to admit it sounds good and the girls who sing country these days are definitely hotter than the wasted creatures that modern rock (or whatever it's called) puts on CD labels.  But I do like to carry my tunes with me on my PDA - and a Hitachi 6gb CF card means I can get pretty much my entire collection on the PDA. The Dell will play on, and on, and on with an extended battery.   At any rate, My Dell Axim X50v will play music to last the longest car or plane trip.  I can fly from Houston to Tokyo on a charge, and never have to listen to the same tune twice - a feature of FM radio lost since Clear Channel (your choice - "all repeats, all the time" or "all commercials all the time") took over radio.  So I use my Toshiba notebook to move music from CD to PDA.

 I don't download MP3s, I absolutely don't have any file sharing software, and I don't condone piracy. I have registered every single piece of shareware / begware software I have ever used and I take great pride in that.  I made my living for more than 10 years as a photographer, so copyright violation is anathema to me. Every author is entitled to 100 percent of the royalties they have coming - being an artist is a lot of work, sweat, and tears, and the vast majority are far from rich.  We all benefit from a health free market, competitive, and artistic environment.  Besides, every single file sharing network is compromised by a plethora of back doors, hacks, and malware. I have never seen a computer with multiple virus / spyware infections that did not have a peer-to-peer network installed.  Finally, copyright violation is theft.

When I got my new Patty Loveless CD, "dreamin' my dreams", the first thing I did was pop it into my CD player to make my authorized copy to my PDA.  Usually I put the CDs back into their stack to remain, gathering dust. Now, my Patty Loveless CD is a dangerous weapon, destined for shattering and the trash can.

What did Sony do?  They installed, without my knowledge or permission, a rootkit,  on my computer.  Why? To somehow limit the number of copies I made of a CD ROM that I purchased, legally, at Best Buy.  However, this rootkit did the following:

The stunt that Sony played on my computer when I performed the perfectly legal act of simply inserting the Patty Loveless CD in my drive is absolutely criminal.  Hopefully the civil suits being filed throughout the country will morph into additional criminal cases as well.  I am perfectly willing to join any class action lawsuit against Sony.  They have earned my anger for life.  If anyone wants my testimony for a grand jury, I'll be there.

I don't care what Sony's intentions were.  I don't care how carefully they did, or did not test, their XCP software.  I don't care what their, or any lawyer says about the legality or morality (and since when do lawyers know or care about morals, anyway?) of installing a rootkit on my computer.  What Sony did was criminally wrong. It wasn't negligence - it was a willful invasion of my computer that I did not in any way authorize, much less authorize them to install a program, and certainly not a rootkit(!) and it damaged my computer.  That is unforgivable. 

Even if Sony had somehow popped up a box asking permission to play the CD ROM or to do anything besides simply cooperate with the operating system and media player to play music, that would have been a violation of my expectations, as a customer, built over the last 20 years of CD ROM playing that when I put a music CD ROM in a player, I expect it to play music and nothing else.  The fact that Sony would even consider that they have the right to install software, much less criminal software, on my system is an outrage that can not be tolerated, much less forgiven.

Now there are additional Trojans or Worms (depending on which news article your read, some are already appearing) that take advantage of the hidden directories and other "features" that Sony created on hijacked computers.  This was an absolutely predictable outcome of installing such software on end user computers.  Sony had to know this would happen, so:

What was Sony thinking?

I fear that Sony has achieved exactly what they intended.  The following is my "contrarian" view and only time will tell if this view is correct:  I can not believe that Sony shipped out millions of CD ROMs without knowing they would harm computers and that they would receive flack - a lot of flack - for doing this. I do believe that they, in all their arrogance, have grossly underestimated the storm of criticism, lawsuits, etc. coming their way.  I believe that they thought some, but not a lot of bad press, would ensue and that people would suddenly look at their CDs and ask "is it safe to put in a computer?" and then that they would quit doing so.  Sony intended to scare people away from copying by creating an atmosphere of distrust.  However, now Sony has created an atmosphere of anger, lawsuits, and possibly criminal cases directed where it belongs - right back at the corporate officers who so arrogantly decided they had a right to attack their customer's computers.

What really galls me, a security professional, is that any company would consider it desirable to literally attack their customers computers - and a rootkit can only be considered an attack.  No rootkit can ever be considered "benign" or "beneficial" or a "feature".  The capabilities of such a piece of code to be used for malicious purposes coupled with the opportunity presented by literally millions of innocent, non-technically sophisticated users having computers infected with the rootkit, create an unparalleled opportunity for malicious software authors to take advantage of the situation.  What Sony did was akin to air-dropping millions of booby traps throughout the US camouflaged as CDs.  How dare Sony commit such a hostile, irresponsible, and arrogant attack on their customers? 

Sony literally committed an act of war against their own customers.