Sony Warned Weeks Ahead of Rootkit Flap 335
pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."
So corporations still lie.... (Score:4, Insightful)
What a load (Score:5, Insightful)
They almost never admitted what they had done, and continually denied the dangers posed by this rootkit.
They only started the recall after people pointed out repeatedly that their "uninstaller" didn't, and recieved criticism from the government.
"as quickly as they could" my ass.
Of course, they could have been smarter and never released it to begin with.
Proves public disclosure is the best for security (Score:5, Insightful)
I think this is great evidence that early public disclosure is very important. At the minimum, the affected users can start using workarounds (turn off insecure systems) until fixes are available.
Another possibility exists... (Score:5, Insightful)
That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent.
If this is true... (Score:5, Insightful)
The only defence available to them was that they didn't realise this was happening. They've just lost that.
Impressions (Score:5, Insightful)
They've just lost that credit for me. They knew for a month and were sitting on it! That is not acceptable. There should have been no warning to Sony, just a public statement from F-Secure at the beginning of October about the rootkit.
Re:Another possibility exists... (Score:3, Insightful)
As quickly as they could? (Score:5, Insightful)
In this case, "as quickly as they could" seems to really mean "as slowly as they could get away with."
How long is it going to be before these companies realize that attacking their customers and treating them like criminals really is NOT a good way to do business? Microsoft's "product activation", Sony's rootkit, etc. ad naseum do essentially nothing to stop real hackers from copying software, music, etc., as much as they want, so the only thing they really accomplish is hurting the legitimate customers.
These lousy business practices are reflected in their (lack of) sales too. I don't mean to say a boycott of Sony would necessarily be a bad thing, but for those who haven't looked, take a look at Sony's stock prices [yahoo.com] -- boycott or no, they're not exactly burning up the charts right now.
Now, Sony (etc.) will undoubtedly point to Napster and such as the reason they're not doing as well recently. I don't think that's the case. I think what's happened is that Sony is now concentrating more on forcing customers to pay than they are on producing things customers want. As is visible in their stock price, that simply leads to oblivion, not prosperity.
--
The universe is a figment of its own imagination.
I call b.s. (Score:3, Insightful)
They're telling the truth, in part: they reacted as fast as they could to the bad press. But not to the real issue - the flawed software.
Re:Proves public disclosure is the best for securi (Score:5, Insightful)
I don't think this was a security hole so much as breaking and entering. I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.
This is wonderful! (Score:3, Insightful)
Re:Another possibility exists... (Score:3, Insightful)
which is rediculus because ignorance is NOT (supposed to be) a viable defense in legal actions. I see so many people say "sony probably didn't know blah blah blah" but the truth is, they are responsable for it, so they should make it their duty to know. And if they don't, its (supposed to be) law that they be held accountable.
However, ignorance seems to get you a pass if it involves technology, <sarcasm>since no-one can possably understand that stuff anyway, except for the hackers that exploit it</sarcasm>
Re:Impressions (Score:5, Insightful)
Its easier to prevent a fire by notifying management to fix the sparking wires than to put one out after notifying a world full of pyros to come dump gasoline on it.
tm
It doesn't matter. (Score:3, Insightful)
Until there are devastating consequences for any company that dies this, it just doesn't matter. 90% of the their customers don't even know about this, and the ones that do, don't fully understand it. This can only change once the average consumer is educated on the issue and there are successful lawsuits that punish companies like Sony. Sony knows that this will blow over in a few months and most people will forget about it (except Slashdot readers of course). People will just continue to buy cds like they always have.
gasmonso http://religiousfreaks.com/ [religiousfreaks.com]Re:If this is true... (Score:4, Insightful)
Sony is primarily a foreign company, so they won't get a free pass. However, the majority way these things usually work out is one or more politically ladder-climbing motivated Attorney Generals sue Sony "on behalf of the people" or somesuch hollow excuse. The proceedings drag on at a glacial legal-system pace, bad PR fades out of the public eye, and eventually AG announces an out of court "settlement" between company and the State. Said settlement money goes straight into State's coffers, never to be seen or heard about again.
All in the end, you are still out $18 for a dodgy CD disc and stuck with a rootkit infecting your PC.
Re:Impressions (Score:5, Insightful)
Re:Impressions (Score:4, Insightful)
Who cares when Sony was warned... (Score:4, Insightful)
F-Secure warned Sony about the dangers on October 4th, yet still failed to protect any of it's users in a timely manner.
Re:Impressions (Score:3, Insightful)
F-Secure should have made this public 30 days after notifying Sony. This way, at least Sony has a chance to fix this. And if they didn't too bad for them and they deserve what they get.
Of course, for all we know F-Secure might have planned to do this. The rootkit was made public slightly less than 30 days after Sony was informed. Perhpas a couple of days later, F-Secure would have blown the whistle.
Can't trust the company. (Score:2, Insightful)
Be proactive.
Watch out for yourself.
The only way to get a corporation to look out for your best interests is to convince it (remind it?) that your interests are their interests (happy customers!).
Make your interests clear by voting with your wallet. Is there a company out there that tries to fix security holes before the customer knows about them? If so, buy your products from them.
As I wrote that last bit, it occurred to me: perhaps leaving the security-hole-finding business up to the customer base is good business sense because it works and is cheaper than hiring your own security-hole-finders. I guess that brings us back to the proactive list.
In short, I agree totally with your post.
Re:Sony LOVES DRM (Score:4, Insightful)
Sony's way ahead of you. Buy a sony Walkman "MP3" player and it won't play anything but propriatery ATRAC files. It won't even play MP3s, hence the quotation marks on MP3 above.
F-Secure, and who else? (Score:3, Insightful)
Re:Still on the Shelves (Score:2, Insightful)
And I am sure a judge would call bullshit on this and in fact hold them responsible for the malware that they created, should this ever come up in court. After all, a program doesn't write itself, and the programmer(s) should have been aware of the nature of the code they were creating.
Just because something is in a EULA does not always make it legally binding, such as... (fill in the usual outlandish hypothetical EULA terms that get posted as examples here.)
Yeah... (Score:5, Insightful)
You can just hear the urgency can't you...
Re:Impressions (Score:5, Insightful)
The difference between a Microsoft security issue and the Sony rootkit is earth and sky.
If F-Secure would have identified a flaw in Microsoft's software, then it's ok if they give the company a grace period to get a patch ready.
There was no such patch to be prepared in the case of Sony.
The following things are sensible to be done when someone finds a new rootkit spreading in the wild:
Let's face it: By telling Sony about it and not going for public disclosure F-Secure accomplished nothing but let even more users get infected by this rootkit. Sony is not a software company, there wasn't a flaw in a software that needed to be fixed, but the software itself removed! That requires no cooperation on behalf of Sony.
Re:Proves public disclosure is the best for securi (Score:5, Insightful)
The actual people that did the hacking were working for this "First4Internet" company. Anyone that designed, wrote or approved a part of the software deemed to be inappropriate could face jail time. There were people at Sony that approved this technology for use on CDs; they could face jail time. There were people at Sony that knew that their software included a rootkit and insecure kernel modifications, and yet claimed otherwise; they could face fraud charges (for an individual to say, "I am not a crook," is legal, but to knowingly lie about a product offered for sale is fraud). Anyone with much knowledge of the workings of this product should have known that it was illegal, just as Kevin Mitnik or any other cracker surely knows that whatever he does (like I said, I have no idea what it was that he did) is illegal. That would be equal justice.
Media companies don't get it. (Score:3, Insightful)
a. How to hide the DRM software better so it will not be detected NEXT TIME.
b. How to silence the whistle blower so that if line item a fails, the word never leaks out.
c. How to fabricate pausable deniablity if the word leaked out despite line item b.
In summary, for the media company, the entire affair isn't about what wrong they inflicted on their PAYING CUSTOMERS, but about how to contain the situtation and continue to "protect THEIR rights."
Re:Impressions (Score:1, Insightful)
I'm not picking specifically on F-Secure here; all of the other antivirus companies are just as guilty. My point is that these companies don't send out a notice to virus writers--why is Sony getting special treatment?
Re:Another possibility exists... (Score:5, Insightful)
In the case of operating systems, even Microsoft should be able to invoke ignorance, as the best minds money could buy cannot properly figure out exactly what a patent covers, and even if they could, proper enforcement would result in losses to GDP easily exceeding 20% as companies retool to avoid the use of computers and replace them with typewriters and file cabinets (typing and data storage), servos and relays (industrial processes, automobiles, microwaves, anything else currently built with computers). On top of increased staffing needs for most corporations, energy efficiency will decline as the carbeurator will replace fuel injection in autos and electric power plants retool to manual operations (certain plants, like many solar plants and photovoltaic systems, are likely to be entirely unoperable and mothballed). Efficiency might be maintained by switching to turbine-based engines (say, steam turbines or gas turbines), but such a switch would drastically increase the cost and complexity of automobiles. Telephone companies in particular will have to hire many switchboard operators and we can expect to see call costs rise back to pre-AT&T breakup costs. A modern Cold War-style military such are our own is dependant on computers from everything from remote control drones to fighter planes to secure and rapid communications. And lastly, Slashdot would not be possible without computers.
That said, I feel that Sony is entirely responsible for what they did as they should have known better. Trojan horses being no-nos is just plain common sense and they serve no legitamite purpose. Sony purposefully wrote or purchased a program to have this function, and as Sony is in the software business they can be expected to be authorities on the subject and act accordingly (as opposed to patents which require substantial knowledge in law just to understand, no less safely navigate - and the cost of compliance is so high that no reasonable corporation can be expected to fully comply with them as it would entail disbanding the corporation in many instances)
No excuse (Score:2, Insightful)
Re:Impressions (Score:3, Insightful)
Re:Impressions (Score:4, Insightful)
This analogy doesn't work.
This wasn't a flaw being exploited by some immoral third party. This wasn't a bug, this wasn't an unforeseen error in functionality.
This was malware, doing precisely what it was intended to do.
F-Secure was acting in the best interest of the people who had been infected by this rootkit.
No, they weren't. What would have been acting in the best interested of the people who had been infected would be to tell people "You've been infected by a rootkit."
However, they gave Sony BMG a reasonable chance in fixing the security holes, as they do give any other company rightly so.
They do?
They give the authors of viruses and trojans the chance to fix their viruses and trojans before they offer fixes for them?
Oh, they don't do that? Then why should they do that for Sony when Sony deliberately releases malware into the wild?
Once again, this was not a bug. This was malware. You don't notify authors of malware that you've found their stuff, and give them an opportunity to rewrite it to be slightly less mal before you go public. You write a fix, and notify the public.
Re:Don't forget Sony's other nasty DRM (Score:5, Insightful)
Haven't you learned by now that any lost sales are blamed on piracy? Which means it will probably just lead to more DRM bullshit. I mean, it's gotten to the point where I can no longer justify buying a CD. Why shouldn't I be able to backup a cd I payed 20 bucks for? It will end up with me doing something illegal either way. It's cool because the stuff I download doesn't have DRM!
Mitnik (Score:3, Insightful)
Looking back now, you can't help wondering why all the fuss. Mitnick did pry around some academic, corporate and military related systems but always maintained he did no damage. He certainly seemed to act out of curiosity and as a challenge rather than with malice. He has yet to write his account of the episode.
What Mitnik did pales into insignificance compared with what goes on now - spammers acting with apparent impunity, crackers installing and controlling bots in their tens of thousands, market researchers planting spyware, and even previously respected household names like Sony pushing Trojans onto the unsuspecting public. Activities which seriously threaten the continued viablity of the internet as a medium.
Company directors can be sent to jail, as Mitnik was. However I doubt it will happen because the legal authorities and the public are now punch drunk with misbehaviour in the IT field. They were sharp and keen against Mitnik but now they are weary and cannot be bothered to pursue the wrong-doers.
It is much easier for the authorities to dismiss this case with "Oh well, surely Sony couldn't have meant any harm, could they?"
Re:If this is true... (Score:1, Insightful)
At least, as a Sony employee, that's my hope.
If I were a Sony investor, I'd be asking real hard questions about why the company is spending many millions of dollars on "technology" that does not work, will never work, and is instead just dragging the company's formerly good name through the dirt and pissing off costumers.
Re:Another possibility exists... (Score:5, Insightful)
MPlayer, Linux, LAME etc etc, are perfectly legal here in the UK since software patents are not enforcable. The problem is not with the software, it's with the US patent system.
Bob
Re:Another possibility exists... (Score:3, Insightful)
It's just as safe to say that there are yet to be discovered patent violations in (insert name of large software project) as it is safe to say that at least a single extra reservoir of oil will be found or that you will find at least one mine by clicking randomly on the squares in minesweeper and that you will undoubtedly lose with that strategy.
Political, not technical (Score:3, Insightful)
Re:Impressions (Score:3, Insightful)
F-Secure shouldn't have given Sony a chance at all - they should have added a signature so that if I stuck a Sony CD in my machine it would be detected and I would be warned. What the fuck else would I want their product for?
Justin.