This is in response to this post.

After the debacle with the black pens, someone might well have been instructed to try again, and this time make a DRM that wasn't so easy to get rid of. Someone else thought he had a bright idea to take a page from the hacker tech manual. And so that product was delivered to Sony. It seems unlikely to me that there was a conversation along the lines of "you know that this is basically hacker tech that makes customers vulnerable to viruses and whatever, right?" Not impossible, but... implausible. So at this point it seems to me quite possible that this was a case of someone "should have been" more aware of security issues with the stuff. And so the line that one might draw between a bug and a deliberate attack can be more blurred than one would want. How many bugs "should have been" caught?

But see, here's the underlying problem. Root kits are typically only good for screwing with low-level actions in the operating system. That's what they are typically deployed for, and employers are no exception. For example, they want to be able to have even deeper control over what processes can be run, what files can be accessed, and I am totally cool with employers restricting their property.

DRM and rootkits, however, should never be mixed because DRM needs to hook into the operating system quite differently. It should be built into the I/O systems of the operating system and operate transparently, if it is supposed to be integrated into the OS. Personally, I would not want DRM integrated into the core I/O systems if I were an OS designer, but that's another debate entirely. The problem is that this form of "DRM" is basically a hack that gets cozy with the OS, without really integrating in a way that the designer intended. Anyone now see what that is a Really Bad Thing?

The problem with system-level DRM is that it really must be implemented by the OS designer if it is going to be done right. Kernel modules can be unloaded, rootkits killed and so it's pretty obvious that if DRM is going to work at the system-level, it must be implemented in such a way that it is the underlying philosophy behind how the hardware and software interact.

I think Solveig misses the point here, which is that people freaked out because Sony bought what amounted to a hacker tool, installed it surrepitiously and then didn't even bother to make sure that it worked right. Quite frankly, the security hole was not even the biggest beef that I've seen people have with it, but rather the fact that Sony installed a rootkit on peoples' systems because of how fundamentally invasive that is for the OS. The fact that it also made them very vulnerable to security flaws certainly didn't help things, but I suppose in Sony's defense, if you're using Internet Explorer (and thus can be hit by ActiveX flaws) you get what you deserve knowing its security model.

Set aside the intent issue for a second and look at the tech. Is it really always clear what is a "pure" hacker tool and what is not? Isn't it likely that in future programmers might well continue to experiment with "hacker tools" to see if they can use principles in those tools for a useful purpose? Isn't the argument that there is such a thing as a purely useless and bad tech usually made by advocates of tech bans? Are we saying that all software always has to be easily removable and detectable? By everyone? What about security software or content filters used by parents or schools or employers? Suppose experts could find and remove it but not beginners? Suppose a DRM system was hard to find or hard to remove, but didn't create a security vulnerability to outsiders? Or suppose it did, but was easy to find and remove? There are a million possible permutations of technology here--hard to imagine the legal system coming up with a top-down rule that makes sense for all of them, especially at this early stage of the game. Markets adapting after the fact are much more flexible.

I do not know of any law that would preclude companies from adopting "hacker tools" provided that the intended use is lawful. While there is a bit of a strawman inherent in fretting about the legality of "hacker tools," we'll just let that slide and address the other points here.

To the best of my knowledge, practically no one has brought up the issue of the software being removable, and I certainly would not make an issue of it. There are too many variables, including sheer user stupidity, that can get in the way of good software packaging for us to actually regulate this. The real problem is that Sony tried to conceal a tool that altered the proper operation of their customers' operating systems. A good solution to this would be to require that they very clearly detail what they are going to do to their customers' systems, and ideally they should be required by law to label this on their products ahead of time to allow people to avoid having the software installed on their systems.

When someone goes out to buy a filtering system, security program or something of that nature, they go out with the expectation that system modifications may be part of the process of using the software. It's an acceptable risk that they freely accept. However, most people do not think that their music CD may contain a program that will undermine the proper functioning of their operating system and expose them to problems. By the way, part of the problem too was that this rootkit could be used to conceal all sorts of files, provided that they followed the naming convention of the DRM tools.

I am not willing to let the market decide on this matter because of the fact that Sony barely repackaged a rootkit and based their DRM strategy on it. They also used it to control their customers' computers against their knowledge, which is not the case with other DRM systems such as Apple's FairPlay. I wonder how many objections there would be to an employer surreptitiously doing this to an employee's home computer in the name of preventing them from stealing company documents and intellectual property. Probably none. Other major DRM systems are non-invasive and well-designed, Sony's was a warmed-over rootkit and they knew it and used it without their users' permission.

Bottom line: No, I don't think the root kit should be regulated, in the usual sense of the word, as broadcasters or telecom companies are regulated. But then I don't think my critic meant that either. I do think that under some circumstances legal remedies would be appropriate for software that does damage. But in the meantime the legal system (to which market forces do not really apply) is more out of control than any DRM (to which market forces do apply). It is not clear to me what work is left for the legal system to do in this case.

It's not so much the production that should be regulated or eliminated, but the use. The issue is not the quality of the software, but what the software actually does that matters. Properly implemented DRM would not have to work like a rootkit as either the OS vendor would build it themselves into the operating system, or it would run peacefully in user space. Dare I say it, if you aren't the OS vendor then you have no business implementing a system as potentially invasive to the OS as DRM at the OS level.

Sony should be taken down here because of their actual use of the rootkit. The sneaky manner in which they installed it smacks of a more than slightly guilty conscience. Other DRM vendors have no problems with being up front about it, and don't do things like screw around with the process manager or the file manager. The first thing that comes to my geek mind to describe their actions from a technical perspective is hacking (or cracking if you're a nerd). But then, if it keeps the regulators from going nuts and regulating us to death since they are usually totally ignorant of all technical matters, I suppose the lesser of the two evils is to let Sony get away with it by law. Ultimately though, the technical and legal aspects are closely related. We need regulators who can craft finely-tuned laws to outlaw things like Sony's DRM system while protecting Windows Media and FairPlay.

Regardless, I'm still not buying a Playstation 3.