Feeds

Sony fiasco: More questions than answers

Rootkit rumpus rumbles on

Next gen security for virtualised datacentres

The big story the last few weeks has been the Sony BMG rootkit and in fact, it's the kind of story for which columnists drool: a big company does something unbelievably dumb that violates basic security principles. Many questions have arisen in my mind over the past few weeks as I've watched this story unfold. I'd like to share a few of them with you. If you have answers - or more questions - email them to me at the byline link above.

  • How many corporate, government, military, and scientific organizations will ban the use of any Sony CD now on any machine connected to their networks?
  • How long until those bans extend to any copy-protected CD made by any music company?
  • How long until those bans extend to any music CD, period?
  • How many corporate, government, military, and scientific networks have been compromised by the Sony rootkit?
  • Have any security breaches occurred on a corporate, government, military, and scientific network due to the Sony rootkit?
  • What actions will Sony face as a result of any security breaches?
  • How would those corporate, government, and scientific organizations have reacted if a group hostile to American interests had engaged in the same security violations practiced by Sony?
  • Who did Sony rely on to do the shoddy development work on the ActiveX control used to "uninstall" the Sony rootkit?
  • Has anyone been damaged by the ActiveX control, which leaves PCs wide open to a variety of attacks?
  • When will Sony release a method for actually removing all traces of their rootkit from a PC?
  • Will that method further open up PCs to new security holes?
  • How many cheats, viruses, and Trojan Horses will use the Sony rootkit as cover for their own installation and actions?
  • Does anyone at Sony - either in management or IT - really have any understanding about security?
  • Did Sony ever bother to think through the ramifications of its rootkit?
  • Who made the decision at Sony to implement the First 4 Internet rootkit?
  • Is that person - or persons - facing sanctions? Demotion? Firing?
  • Has anyone sat down with Thomas Hesse, President at Sony BMG and utterer of the line "Most people, I think, don't even know what a rootkit is, so why should they care about it?", and explained to him just how stupid his statement is?
  • How successful will the legal actions against Sony prove?
  • Are there any legal actions pending against First 4 Internet, the providers of the rootkit software Sony used?
  • Does anyone at First 4 Internet - a supposed technology company - really have any understanding about security?
  • If anyone at First 4 Internet does have a glimmer of understanding about security, do they care, or is money their only concern?
  • Why did Microsoft wait so long before adding Sony's rootkit to its list of spyware to be removed by Windows Defender?
  • When did Microsoft first know about Sony's rootkit?
  • If Microsoft knew about it prior to the 31 October disclosure by Mark Russinovich, why didn't they act sooner?
  • When did other anti-virus and anti-spyware companies first know about Sony's rootkit?
  • If those companies knew about it prior to the 31 October disclosure by Mark Russinovich, why didn't they act sooner? If they knew about it, exactly why are we paying them?
  • Did Sony violate the GPL and LGPL by including code for the MP3 encoder LAME, and other GPL and LGPL code, in its rootkit?
  • If so, what are Sony and First 4 Internet planning to do to address these LGPL and GPL violations? Open-source their viral rootkit?
  • Are any other retailers besides Amazon going to notify customers that they have purchased one of the 52 Sony BMG titles known to contain the rootkit, and offer a refund?
  • What effect will the entire Sony debacle have on other music labels using, or considering the use of, DRM on their CDs?
  • Are any members of the US Congress aware of the Sony rootkit saga, or are they asleep at the wheel?
  • If so, are any proposing legislation requiring CDs to clearly label any DRM they may include? Or going one step further, and banning the practice entirely?
  • How ironic is it that the actions of Sony's music division have damaged the PCs made by Sony's computer division?
  • Does anyone at Sony appreciate the irony?
  • How many music lovers will now turn to illegal file sharing networks to acquire music, since their attempts to do so legally were met by betrayal, apathy, and malice by the very company selling them music?
  • Can you really blame the people who now turn to illegal file sharing?
  • Does Sony see the irony here?
  • Sony is offering to replace infected CDs with MP3s; what sorts of restrictions do those MP3s have? And at what quality level were they made?
  • How many problems are we going to see with Sony's other DRM software made by Suncomm?
  • Will Sony amend its outrageous EULA, which contains provisions in it that are extreme and nonsensical?
  • How much have Sony's sales suffered for all of its CDs? How much will sales suffer in the future?
  • Will consumers remember this episode? For the near future, will the words "Sony" and "rootkit" be linked in consumers' minds?
  • Is Sony going to follow through on its promise to include DRM on all CDs put out by the company?
  • Will Sony follow any of the advice given to it by the EFF?
  • Did Sony learn anything from this future business school case study, or is it just going to try to develop quote-unquote "better" DRM?
  • Will any other companies currently issuing DRM "protected" CDs learn anything from Sony's mess?
  • Will the Sony rootkit incident lead any consumers to switch from Windows to Mac OS X (which was also vulnerable to Sony malware, but not as badly as Windows) or Linux (which wasn't vulnerable at all)?
  • If consumers are unhappy with the Sony rootkit now, how will they feel when they learn about the built-in copy protection found in Windows Media? In future processors and the upcoming Windows Vista?
  • And finally, do companies have the right to take extreme measure, to install software like the Sony rootkit, in order to protect their business models?

Copyright © 2005, SecurityFocus

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing web applications for corporate, educational, and institutional clients.

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?