Feeds

Sony fiasco: More questions than answers

Rootkit rumpus rumbles on

Top 5 reasons to deploy VMware with Tegile

The big story the last few weeks has been the Sony BMG rootkit and in fact, it's the kind of story for which columnists drool: a big company does something unbelievably dumb that violates basic security principles. Many questions have arisen in my mind over the past few weeks as I've watched this story unfold. I'd like to share a few of them with you. If you have answers - or more questions - email them to me at the byline link above.

  • How many corporate, government, military, and scientific organizations will ban the use of any Sony CD now on any machine connected to their networks?
  • How long until those bans extend to any copy-protected CD made by any music company?
  • How long until those bans extend to any music CD, period?
  • How many corporate, government, military, and scientific networks have been compromised by the Sony rootkit?
  • Have any security breaches occurred on a corporate, government, military, and scientific network due to the Sony rootkit?
  • What actions will Sony face as a result of any security breaches?
  • How would those corporate, government, and scientific organizations have reacted if a group hostile to American interests had engaged in the same security violations practiced by Sony?
  • Who did Sony rely on to do the shoddy development work on the ActiveX control used to "uninstall" the Sony rootkit?
  • Has anyone been damaged by the ActiveX control, which leaves PCs wide open to a variety of attacks?
  • When will Sony release a method for actually removing all traces of their rootkit from a PC?
  • Will that method further open up PCs to new security holes?
  • How many cheats, viruses, and Trojan Horses will use the Sony rootkit as cover for their own installation and actions?
  • Does anyone at Sony - either in management or IT - really have any understanding about security?
  • Did Sony ever bother to think through the ramifications of its rootkit?
  • Who made the decision at Sony to implement the First 4 Internet rootkit?
  • Is that person - or persons - facing sanctions? Demotion? Firing?
  • Has anyone sat down with Thomas Hesse, President at Sony BMG and utterer of the line "Most people, I think, don't even know what a rootkit is, so why should they care about it?", and explained to him just how stupid his statement is?
  • How successful will the legal actions against Sony prove?
  • Are there any legal actions pending against First 4 Internet, the providers of the rootkit software Sony used?
  • Does anyone at First 4 Internet - a supposed technology company - really have any understanding about security?
  • If anyone at First 4 Internet does have a glimmer of understanding about security, do they care, or is money their only concern?
  • Why did Microsoft wait so long before adding Sony's rootkit to its list of spyware to be removed by Windows Defender?
  • When did Microsoft first know about Sony's rootkit?
  • If Microsoft knew about it prior to the 31 October disclosure by Mark Russinovich, why didn't they act sooner?
  • When did other anti-virus and anti-spyware companies first know about Sony's rootkit?
  • If those companies knew about it prior to the 31 October disclosure by Mark Russinovich, why didn't they act sooner? If they knew about it, exactly why are we paying them?
  • Did Sony violate the GPL and LGPL by including code for the MP3 encoder LAME, and other GPL and LGPL code, in its rootkit?
  • If so, what are Sony and First 4 Internet planning to do to address these LGPL and GPL violations? Open-source their viral rootkit?
  • Are any other retailers besides Amazon going to notify customers that they have purchased one of the 52 Sony BMG titles known to contain the rootkit, and offer a refund?
  • What effect will the entire Sony debacle have on other music labels using, or considering the use of, DRM on their CDs?
  • Are any members of the US Congress aware of the Sony rootkit saga, or are they asleep at the wheel?
  • If so, are any proposing legislation requiring CDs to clearly label any DRM they may include? Or going one step further, and banning the practice entirely?
  • How ironic is it that the actions of Sony's music division have damaged the PCs made by Sony's computer division?
  • Does anyone at Sony appreciate the irony?
  • How many music lovers will now turn to illegal file sharing networks to acquire music, since their attempts to do so legally were met by betrayal, apathy, and malice by the very company selling them music?
  • Can you really blame the people who now turn to illegal file sharing?
  • Does Sony see the irony here?
  • Sony is offering to replace infected CDs with MP3s; what sorts of restrictions do those MP3s have? And at what quality level were they made?
  • How many problems are we going to see with Sony's other DRM software made by Suncomm?
  • Will Sony amend its outrageous EULA, which contains provisions in it that are extreme and nonsensical?
  • How much have Sony's sales suffered for all of its CDs? How much will sales suffer in the future?
  • Will consumers remember this episode? For the near future, will the words "Sony" and "rootkit" be linked in consumers' minds?
  • Is Sony going to follow through on its promise to include DRM on all CDs put out by the company?
  • Will Sony follow any of the advice given to it by the EFF?
  • Did Sony learn anything from this future business school case study, or is it just going to try to develop quote-unquote "better" DRM?
  • Will any other companies currently issuing DRM "protected" CDs learn anything from Sony's mess?
  • Will the Sony rootkit incident lead any consumers to switch from Windows to Mac OS X (which was also vulnerable to Sony malware, but not as badly as Windows) or Linux (which wasn't vulnerable at all)?
  • If consumers are unhappy with the Sony rootkit now, how will they feel when they learn about the built-in copy protection found in Windows Media? In future processors and the upcoming Windows Vista?
  • And finally, do companies have the right to take extreme measure, to install software like the Sony rootkit, in order to protect their business models?

Copyright © 2005, SecurityFocus

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing web applications for corporate, educational, and institutional clients.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.