Two weeks ago, Sysinternal's Mark Russinovich discovered that many of Sony's music CDs are protected by a DRM mechanism that mimics a malicious rootkit program (see sysinternals.com/Blog for his excellent details on the issue). Sony's handling of the issue has gone from bad to worse. First, they basically said most people don't care about the issue and released flawed removal instructions. Then several worms and viruses started appearing that used Sony's rootkit hiding mechanisms.

Today, I read that Sony's new removal software leaves any computer it has been executed on in a very insecure state. Namely, the browser on any affected machine will allow any Web site to execute any program on the computer -- malicious or otherwise.

The removal process apparently leaves an insecure ActiveX control installed that can be remotely scripted by any Web site to do anything. Lest you think this is a joke, the post on the vulnerability was created (partially) by Ed Felten, one of the world's most respected computer security experts. Add to that fact the many insane statements -- such as people filing bankruptcy have to delete the music and that you cannot play the music on a work computer -- Sony made in its EULA agreement, and the issue of DRM's reach and who to trust becomes a lot seedier.

Our only hope is that consumers will pay enough attention to cause serious adverse financial consequences to entities that abuse our trust. Unfortunately, if history is any guide, most of the public is not paying attention and doesn't care -- although the Department of Homeland Security's almost uncloaked rebuke was meaningful.

What makes this situation worse is that Sony is far from alone in abusing consumer's trust and DRM's real objectives. InfoWorld's own Ed Foster's Gripe Line column and blog is full of competitors that apparently share Sony's warped treatment of customers.