Feeds

Homeland security urges DRM rootkit ban

Give it up

SANS - Survey on application security programs

US government officials took Sony BMG to task over its controversial use of rootkit-style copy protection at a security conference this week. If the technology proves harmful to consumers, tougher laws and regulations might be proposed, a senior Department of Homeland Security exec warned.

"Legislation or regulation may not be appropriate in all cases, but it may be warranted in some circumstances," said Jonathan Frenkel, director of law enforcement policy with the DHS's Border and Transportation Security Directorate, PC World reports.

Sony BMG's flawed approach to Digital Rights Management technology was exposed after security researchers discovered XCP anti-piracy software, that shipped with some of Sony BMG's music CDs, masked its presence and introduced a vulnerability that hackers and virus writers began to target. Under pressure, Sony was forced to recall discs loaded with the technology and create an exchange program for consumers.

Sony came in for yet more criticism after it emerged that SunComm's MediaMax anti-piracy software, used as an alternative to First4Internet's XCP program on Sony BMG CDs shipped in the US and Canada, also created a security risk. The first version of the patch released to address the SunnComm MediaMax version 5 software had a flaw of its own. Security researchers are currently reviewing a second patch.

DHS officials had a meeting with Sony BMG shortly after the story broke during which the entertainment reps were read the riot act. "The message was certainly delivered in forceful terms that this was certainly not a useful thing," Frenkel said.

Government officials are concerned that the rootkit tactic, if repeated, could leave consumers' systems open to hacker attack. The DHS lacks the power to push through laws itself, but it does have the ears of legislators, if not all the elements of the entertainment industry.

Despite the adverse publicity provoked by the Sony BMG incident, the entertainment industry is still experimenting with the use of rootkit-style copy protection technology. For example, it emerged earlier this week that the German language DVD release of Mr and Mrs Smith, which stars Brad Pitt and Angelina Jolie as a married couple who hide their jobs as assassins from each other, contained a rootkit. The Settec Alpha-DISC copy protection system used on the DVD incorporates rootkit-like features to hide itself, according to an analysis by anti-virus firm F-Secure.

"The recent Sony experience shows us that we need to be thinking about how to ensure consumers aren't surprised by what their software is programmed to do," Frenkel said during a panel discussion at the RSA 2006 security conference in San Jose this week. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.