Sony Rootkit may Lead to Regulation

An anonymous reader writes "Computerworld has a story about DHS officials meeting with Sony to read them the riot act, following the rootkit fiasco. From the story: 'A U.S. Department of Homeland Security (DHS) official warned today that if software distributors continue to sell products with dangerous rootkit software, as Sony BMG Music Entertainment recently did, legislation or regulation could follow.'"

WTF?

So if a 15 year old crashes his school's webserver by getting a bunch of friends in IRC to click on it too many times he can be prosecuted, but if a global megacorporation does something far more insidious (effectively, SELLING you TROJANED media), then "we need regulation"?

Why are people not in jail for this yet?

(yes, that was a rhetorical question).

smash.

Re:You haven't figured it out yet?

No. The principle of capitalism ist: Privatize profits, communalize costs. Sony BMG was just trying to profit privately from non copyable media while externalizing the costs to thousands of PC owners.

Re:You haven't figured it out yet?

No, that just makes it good business, according to the reprehensible predatory practices that are currently deemed as acceptable business behavior. Corporate execs and shareholders alike love nothing better than to externalize expenses, and they really don't give a damn who has to bear that burden, as long as it's not them.

Re:You haven't figured it out yet?

You might also want to keep in mind that "true capitalism", as well as "true communism" are mind constructs that are completely impossible to setup in the real world because there is no way that most people are actually going to play nice. If they can screw you to increase their benefit, they will. Which is why an external regulatory agent is needed (even though that idea is apparently blasphemous to the US mindset).

Re:WTF?

According to www.opensecrets.org Sony has, over the years, ponied up millions of dollars in contributions to political parties. I haven't seen that 15 year old script-running-juvenile matching that.

Re:WTF?

I don't need opensecrets.org to tell me that. :)

I was merely trying to point out how "fucked up" the system is - we live in a world that allowed the two events described above to have the outcomes they did...

smash.

Re:WTF?

Because its shareholders are largely voters. The Supreme Court has ruled money to be speech, and the Right of the People to assemble to petition the government for redress of grievances is in the Constitution. Like it or not, a corporation is an assembly of some of the People, just like a union, or political party.

I agree it stinks, but I'm not exactly sure how we stop it short of a constitutional amendment, and if that amendment is too broadly worded, the cure could be worse than the disease.

Re:WTF?

But the 15 year old is a terrorist for attacking national infrastructure. The company is just trying to protect it's godgiven right for profits.

Re:WTF?

Corporation: An organization created in order to generate individual profit without individual responsibility.

That is why no on is in jail, it goes against the very idea of corporations. :o)

Security Flaws are Not the Issue

It really bugs me that DHS and generally everyone else are looking at this issue as if the security vulnerabilities in the Sony rootkit are the main issue. And perhaps it is to them, but not to me. The real issue is that Sony is installing software on computers without the owner's permission, and it's software that intentionally hobbles hardware/software you paid for. That's like being upset, not because a thief stole your TV, but because he left the back door unlocked when he left.

The recent Sony experience

"The recent Sony experience..." This phrase makes me wonder if Sony is going to be a catch phrase.

"I just bought a DVD with rootkit software on it."
"You've been Sony-ed", or,
"That's the Sony experience!"

Re:The recent Sony experience

I recently (about 2 weeks ago) had to buy two new monitors for my office. My business partner mentioned she saw a sale on some Sony LCD -- I said "no way" and we got something else. Had Sony not gone out of its way to be evil, I would've said "sure". Perhaps "Sonied" will be a term for companies that shoot themselves in the head with their marketing practices. I'd rather see that than a lot of customers being screwed.

Re:The recent Sony experience

And just the other day, I was watching downloaded David Attenborough documentaries, and the name "Sony" popped up on one of the special cameras used there - I exclaimed "No way!" and used mencoder to edit the relevant part out right away. That'll teach 'em!

Re:The recent Sony experience

Vaio was one of the more popular laptop models for our salesforce. It has now been dropped from list of approved products.

Re:The recent Sony experience

"Sony, making your entertainment experience more thrilling"

So..

Sony's root kit disabled the Department of Homeland Security's root kit. I can see why they might be miffed.

Re:So..

What if I want to make my own rootkit? Will I have to register it with the DHS, and get them to audit it for security holes and check it for compatibility with their own rootkit?

And what about Linux rootkits? Will Linux rootkits be supported by the DHS? Or will they just be banned altogether? Surely the DHS can't be stuffed writing a Linux rootkit as well as a Windows rootkit.

Even scarier... what if Linux rootkits weren't regulated at all? Cyberterrorists could go on a rampage of linux rooting, and the government wouldn't be able to stop them, or more importantly, tax them.

Hmm... that's an idea, the DHS could implement a rootkit tax, to fund their own rootkit development, and better protect our fellow God-fearing American citizens from the cyberterrorists of the future.

The War on Terror is ending. The War on Rootkits is only just beginning...

Threatening Legislation

So they have not been punished for their crime,

They are not even being told they will get punished if they do it again,

It seems to say, if you do it again, only then will make it illegal so you can't do it a third time.

(Gee, I'll have to try that one next time I get busted by the cops - its only my first offence, officer, you shouldn't lock me up until I've done it at least 3 times)

Re:Threatening Legislation

Or, as another poster pointed out, perhaps the "legislation" will LEGALISE their behavior so that the "problem" doesn't occur again, as they're acting within the law.

smash.

Regulation?

Ohh, you mean legalization and decriminalization of these behaviors, so that this does not become an issue again. Anything less than a total ban, backed up by some serious time in a federal pound you in the ass facility, means that someone has been bought out.

DHS???

Wasn't that delivery service Ace Ventura worked for?

So the time has finally come...

I suppose the time has finally come when we side with music companies and hope they'll make a new rootkit. :-)

Mr. & Mrs. Smith DVD

Lets hope the industry learns soon. There are recent products shipping with rootkits on them like the german release of Mr. and Mrs. Smith. http://www.f-secure.com/weblog/archives/archive-02 2006.html#00000810 [f-secure.com]

Re:Mr. & Mrs. Smith DVD

Oh and it *is* a true virus. It replicates in exactly the same way as eg. an outlook virus.

Apple haven't got a fix out yet but I guess they will soon (WTF is system software doing loading libraries from the home directory anyway? There's a *reason* why /usr/lib is only writable by root..)

From the virus summary:

"Leap.A installs a bundle to '~/InputManagers/apphook' that hooks certain iChat functions. When any of the user's buddies change their status, the worm initiates a file transfer and sends a copy of ' 'latestpics.tgz'. The file transfer is not visible to the user as the worm hides the transfer status information."

"The worm enumerates all applications on the computer that were used during the last month. Leap.A replaces the main executable of those applications with itself and saves the original file to a resource fork with the same filename. When the application is opened the worm activates first, then it runs the original application from the resource fork."

My EFF Action letter worked!

Hooray!
I told my senator to tell the RIAA and Sony to go f##k themselves... I guess he listened.

threatening?

Why merely threaten legislation if it continues to happen? Laws against "products with dangerous rootkit software" wouldn't seem to harm anyone. Enact the legislation now.

not malicious?

From TFA:

While Sony's software was distributed without malicious intent

I guess that depends on what you mean by malicious. As far as I'm concerned, anyone who distributes trojans is either malicious, or mentally insane — on the same level as the man who thinks he's a poached egg.

Re:not malicious?

The real thing was likely more crimial negligence than an attempt to break things. They should thus pay for all the associated costs as anyone breaks something owned by someone else and so on...

eh?

You mean this was legal?

Mod Parent Up.

To have the government threaten to enact legislation is like having a parent wave their finger at a naughty child warning him not to break ANY MORE of the neighbor's windows.

Laws have already been broken and all we're seeing is warnings implying this may be made illegal in the future.

No malicious intent?

While Sony's software was distributed without malicious intent, the DHS is worried that a similar situation could occur again, this time with more serious consequences. "It's a potential vulnerability that's of strong concern to the department," Frenkel said.

Would someone please define malicious? I think it WAS malicious.

------------
The American Heritage dictionary:
malicious (m-lsh's) pronunciation
adj.

Having the nature of or resulting from malice; deliberately harmful; spiteful.

-------------
Thompson-Gale Legal Encyclopedia:
Malicious

Involving malice; characterized by wicked or mischievous motives or intentions.

An act done maliciously is one that is wrongful and performed willfully or intentionally, and without legal justification.

--------------
I'd say that given Sony's generally agressive posture with regards to personal/individual fair use and copyright infringement, I think they could easily be characterized using words like "angry" and "vengeful." And regardless of the emotional component, it was certainly wrongful, willfull, intentional and without legal justification.

It seems like a case of

do as we say, not as we do.

Since when did the Executive branch make laws?

Last time I checked, the DHS doesn't work for the Legislature. Their job begins and ends with enforcing the existing laws.

wrong act....

read them the riot act

Should it not read RICO act?

And yet, the cynic in me...

...thinks that DHS would love for this to happen again.

From TFA: Baker stopped short of mentioning Sony by name, but Frenkel did not. "The recent Sony experience shows us that we need to be thinking about how to ensure that consumers aren't surprised by what their software is programmed to do," he said.

I could almost see them thinking, . o O (...and the best way to do it would be to stringently regulate consumers' computers, so that we can watch for intrusions of this sort in future and prepare for them. Oh, do it again Sony? Ohpleaseohpleaseohpleaseohsnausagesohplease!)

Could someone explain?

A 17 year old writing a stupid trojan that does little but spread receives a 2 year sentence in jail and is only safe from compensation since companies didn't want to have the public know their systems are insecure.

Read: Juvenile dick-waving without commercial interest -> 2 years prison.

A large corporation spreading a rootkit with their product to their paying customer with the intent to cripple their customer's software performance (not being able to use it as intended, by manufacturer or user) that also has the capability of spying on their behaviour (allegedly they didn't use that function, but ... yeahsure) receives... a recommendation not to do anything like this again or else we might have to think about creating laws banning this behaviour (hey, those laws exist, enact them!).

Read: Commercial malvolent infiltration of customer's computers -> Nada.

The world sure is changing. When I was still in school, adding "commercial" to a crime sure upped your sentence by some magnitude. Nowadays it seems to be your "get out of jail" card if you commit a crime with financial interest.

Al Capone simply died too early. He'd love these times.

Angelina Jolie only?

No mention of Brad Pitt? Has he fallen so far that Jolie is an "American film star" and he isn't? (Not that this has anything to do with the meat of the article, but I thought it a little odd.)

Talk about a misleading submitted post

The main bulk of the article is about a recent speech where the director of law enforcement policy talked about how companies should be careful about how they implement copy protection and how it should not damage or surprise users in how it works.
In there is a small paragraph mentioning that DHS and a talk with Sony that what they did "was not a useful thing", which becomes the main thing.
The thing thing that should of been focused on was the message from DHS that companies should not defeat the security measures that people have in place on thier computers.

Could someone sue StarForce spreaders please?

I was about the download the demo for Battle for Middle Earth 2 the other day, only to read that the goddamn DEMO comes with the StarForce [boingboing.net] malware.

According to Wikipedia [wikipedia.org], Ubi Soft, Digital Jesters and Codemasters routinely use StarForce on new games. Forget about consoles, THIS is what might kill PC gaming permanently.

What is a rootkit?

If you are looking for a good reference to understand a rootkit I recommend Matt Vea's article "Rootkits: The 'r00t' of Digital Evil." He wrote it back in Novemeber when the Sony fiasco was first revealed. Link: http://www.omninerd.com/2005/11/22/articles/43 [omninerd.com]

Important distinction

Another exaple of our tax-dollar-paid servants not applying themsleves to the task mentally:

"A U.S. Department of Homeland Security (DHS) official warned today that if software distributors continue to sell products with dangerous rootkit software, as Sony BMG Music Entertainment recently did, legislation or regulation could follow."

The important thing to keep in mind is that, while SONY may have a software division, the product sold wasn't even a software product at all, and no disclosure of a software product was discussed in any terms of sale, etc. The whole software angle was completely surrepetitious. It's not just "software distributors" that need policing here. When it boils down to it, this SONY division had no business "engineering" software into their product; they had little grasp of the ethics or the technical implications of what they were doing... or at least that's what they tell us now. For all we know, they were fully aware and just did it anyway thinking plausible deniability was all they would need when it came to light. If indeed they thought so, they would seem to have been prescient - nothing has happeded because of it. I for one am a bit surprised at that.

Sony should be prosecuted

for distributing Celine Dion CDs. I don't mind rootkit (haven't bought "CD" in 10 years), but for Pete's sake, someone feed that woman.

forget rootkits...

what I want is a w00tkit!

Linkage to blueray software

Interesting. I will wait with interest to see whether any such legislation can be created that does not also force a ruling against the software embedded in new DVD drives that will let remote attackers brick your hardware. In particular, this will be quite fun if there is a system driver that gets installed (r00tkit!) which enforces the process across all copy operations. I think the definition of rootkit is a slippery sliding thing and you could even say Microsoft supplies them if you didn't know about it when purchasing Windows, or if it gets installed in an automated update (e.g. of Media Player).

What they really want...

...is to buy the technology so they can keep an eye on all you terrorists out there ;)

Megacorp meets with secret police

I'm sure good things will come of this. :/

Translation

You better hide the rootkit better next time so even the geeks can't find it or we might have to make an effort to save face around here. ...Have another of those suitcases filled with hundreds handy?

Surely this isn't needed?

Given the raft of class action lawsuits launched against Sony, and the subsequent restrictions on TPM (technological protection measures) software they can use, would any company dare risk including root-kit like TPM's? At the end of the day the risk-benefit analysis will rule it out without the need for legal intervention surely?

Grab the Pitchforks and Torches!

I wonder if there is grounds for a class action lawsuit?

If the rootkit that was installed take me a few hours to uninstal and/or fix my system, why can't I claim damages? (like any other business hacked into!) My time is worth something.
If everyone who had the rootkit installed, had to call Geeksquad to restore their computer to working order, AND shell out folding green dollars for their service, that is REAL monetary damages.

Sony BMG settles

On a side note, Sony BMG settled the class action lawsuit filed against them by the EFF. If you want replacement CDs released by Sony BMG that don't have XCP or MediaMax on them, head to http://www.eff.org/sony [eff.org] for more info.

It's your chance to stick it to the man.

Morals? Ethics?

I've often wondered why things like this rootkit exist in the first place. Does Sony only employ those who are morally bankrupt? Surely someone at some point in Sony would have said "Hey, this is kinda evil".

Dollar Power?

Why can't the market just dictate that companies can't hide 'root kits' on their music CDs?

If people just stop buying their crap, they will change how they do business or go out of business.

WHAT?!

This is like telling a rapist he better "Cut it out now... its not funny anymore. Seriously... please? If... if you don't stop we'll have to give you a warning. I'm serious... hey.... HEY! Stop humping my leg! BAD RAPIST!!!"

How lax can they get?! When you hurt millions of people, you get punished. So, if Sony puts out another rootkit, will they be at all worried about repercussions? Hell no! They just got away with it.

Just in the nick of time too!

It's only been a little over 3 months since the Sony rootkit story was all over the news. It's heartwarming to see the sort of speed at which the Department of Homeland Security operates. I'll bet it makes you feel ever so safe to think that these are the same people in charge of combating terrorism...

So....

How many of you have sold your PS2?

Sony's Business Model

Unfortunately all the boycotting us /.'ers partake in won't pay off in the end. It is hard to boycott a company effectively whose business timeline is as follows:

1. Declining Music Sales... Blame Piracy
2. Release Trojan Rootkit to Fight Piracy... (damn kids)
3. Consumers boycott all Sony products
4. Further Declining Music Sales and Now Declining Sales in All Product Lines
5. Blame Piracy
6. Call Government Buddies and Release Series of Laws/Rootkits Opressing Consumers

Damn corporate nation we live in today, and the Bush administration is doing anything but helping.

Who do we root for? (No pun intended. Really.)

DHS -vs- Sony?!?! I mean, it's kinda like that movie where Freddie Kruger and Jason Voorhees fight each other; which one should we root for?





Disclaimer The comments above should in no way be considered a comparison between the characters in that movie and the parties mentioned in the article. Any similarities are purely coincidental and the reference was made solely to illustrate the relative difficulty of determining a "favorite" in the contest.

In other words: Freddie and Jason, please don't be offended!