Sony fiasco: More questions than answers
Rootkit rumpus rumbles on
The big story the last few weeks has been the Sony BMG rootkit and in fact, it's the kind of story for which columnists drool: a big company does something unbelievably dumb that violates basic security principles. Many questions have arisen in my mind over the past few weeks as I've watched this story unfold. I'd like to share a few of them with you. If you have answers - or more questions - email them to me at the byline link above.
- How many corporate, government, military, and scientific organizations will ban the use of any Sony CD now on any machine connected to their networks?
- How long until those bans extend to any copy-protected CD made by any music company?
- How long until those bans extend to any music CD, period?
- How many corporate, government, military, and scientific networks have been compromised by the Sony rootkit?
- Have any security breaches occurred on a corporate, government, military, and scientific network due to the Sony rootkit?
- What actions will Sony face as a result of any security breaches?
- How would those corporate, government, and scientific organizations have reacted if a group hostile to American interests had engaged in the same security violations practiced by Sony?
- Who did Sony rely on to do the shoddy development work on the ActiveX control used to "uninstall" the Sony rootkit?
- Has anyone been damaged by the ActiveX control, which leaves PCs wide open to a variety of attacks?
- When will Sony release a method for actually removing all traces of their rootkit from a PC?
- Will that method further open up PCs to new security holes?
- How many cheats, viruses, and Trojan Horses will use the Sony rootkit as cover for their own installation and actions?
- Does anyone at Sony - either in management or IT - really have any understanding about security?
- Did Sony ever bother to think through the ramifications of its rootkit?
- Who made the decision at Sony to implement the First 4 Internet rootkit?
- Is that person - or persons - facing sanctions? Demotion? Firing?
- Has anyone sat down with Thomas Hesse, President at Sony BMG and utterer of the line "Most people, I think, don't even know what a rootkit is, so why should they care about it?", and explained to him just how stupid his statement is?
- How successful will the legal actions against Sony prove?
- Are there any legal actions pending against First 4 Internet, the providers of the rootkit software Sony used?
- Does anyone at First 4 Internet - a supposed technology company - really have any understanding about security?
- If anyone at First 4 Internet does have a glimmer of understanding about security, do they care, or is money their only concern?
- Why did Microsoft wait so long before adding Sony's rootkit to its list of spyware to be removed by Windows Defender?
- When did Microsoft first know about Sony's rootkit?
- If Microsoft knew about it prior to the 31 October disclosure by Mark Russinovich, why didn't they act sooner?
- When did other anti-virus and anti-spyware companies first know about Sony's rootkit?
- If those companies knew about it prior to the 31 October disclosure by Mark Russinovich, why didn't they act sooner? If they knew about it, exactly why are we paying them?
- Did Sony violate the GPL and LGPL by including code for the MP3 encoder LAME, and other GPL and LGPL code, in its rootkit?
- If so, what are Sony and First 4 Internet planning to do to address these LGPL and GPL violations? Open-source their viral rootkit?
- Are any other retailers besides Amazon going to notify customers that they have purchased one of the 52 Sony BMG titles known to contain the rootkit, and offer a refund?
- What effect will the entire Sony debacle have on other music labels using, or considering the use of, DRM on their CDs?
- Are any members of the US Congress aware of the Sony rootkit saga, or are they asleep at the wheel?
- If so, are any proposing legislation requiring CDs to clearly label any DRM they may include? Or going one step further, and banning the practice entirely?
- How ironic is it that the actions of Sony's music division have damaged the PCs made by Sony's computer division?
- Does anyone at Sony appreciate the irony?
- How many music lovers will now turn to illegal file sharing networks to acquire music, since their attempts to do so legally were met by betrayal, apathy, and malice by the very company selling them music?
- Can you really blame the people who now turn to illegal file sharing?
- Does Sony see the irony here?
- Sony is offering to replace infected CDs with MP3s; what sorts of restrictions do those MP3s have? And at what quality level were they made?
- How many problems are we going to see with Sony's other DRM software made by Suncomm?
- Will Sony amend its outrageous EULA, which contains provisions in it that are extreme and nonsensical?
- How much have Sony's sales suffered for all of its CDs? How much will sales suffer in the future?
- Will consumers remember this episode? For the near future, will the words "Sony" and "rootkit" be linked in consumers' minds?
- Is Sony going to follow through on its promise to include DRM on all CDs put out by the company?
- Will Sony follow any of the advice given to it by the EFF?
- Did Sony learn anything from this future business school case study, or is it just going to try to develop quote-unquote "better" DRM?
- Will any other companies currently issuing DRM "protected" CDs learn anything from Sony's mess?
- Will the Sony rootkit incident lead any consumers to switch from Windows to Mac OS X (which was also vulnerable to Sony malware, but not as badly as Windows) or Linux (which wasn't vulnerable at all)?
- If consumers are unhappy with the Sony rootkit now, how will they feel when they learn about the built-in copy protection found in Windows Media? In future processors and the upcoming Windows Vista?
- And finally, do companies have the right to take extreme measure, to install software like the Sony rootkit, in order to protect their business models?
Copyright © 2005, SecurityFocus
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing web applications for corporate, educational, and institutional clients.
Sponsored: Becoming a Pragmatic Security Leader