Sony Warned Weeks Ahead of Rootkit Flap

pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."

So corporations still lie....

[MaskedSlacker]

So Sony was lying its collective arse off when saying it reacted as quickly as it could? This is news how?

What a load

[Microlith]

Scramble? To contain the crisis?

They almost never admitted what they had done, and continually denied the dangers posed by this rootkit.

They only started the recall after people pointed out repeatedly that their "uninstaller" didn't, and recieved criticism from the government.

"as quickly as they could" my ass.

Of course, they could have been smarter and never released it to begin with.

Proves public disclosure is the best for security

Until a security hole is widely published (not privately communicated) it's very likely to continue spreading unchecked.

I think this is great evidence that early public disclosure is very important. At the minimum, the affected users can start using workarounds (turn off insecure systems) until fixes are available.

Another possibility exists...

[bigtallmofo]

So Sony was lying its collective arse off when saying it reacted as quickly as it could?

That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent.

Re:Another possibility exists...

[Yartrebo]

I feel that technology should be a valid excuse under the right circumstances. A mom-and-pop store or a private individual cannot reasonable be expected to do a good faith patent search when choosing an operating system (MS Windows and Mac OS undoubtedly violate hundreds of software patents, and Linux violates thousands of patents if you include software commonly found in distros, like mp3 players - the mplayer project alone has close to 1,000 known patent violations and countless unknown violations). Legally every single user of a halfway modern OS should have injunctions granted against the use of their computer and massive damages be paid out to the dozens or hundreds of patent holders covering some aspect of their OS.

In the case of operating systems, even Microsoft should be able to invoke ignorance, as the best minds money could buy cannot properly figure out exactly what a patent covers, and even if they could, proper enforcement would result in losses to GDP easily exceeding 20% as companies retool to avoid the use of computers and replace them with typewriters and file cabinets (typing and data storage), servos and relays (industrial processes, automobiles, microwaves, anything else currently built with computers). On top of increased staffing needs for most corporations, energy efficiency will decline as the carbeurator will replace fuel injection in autos and electric power plants retool to manual operations (certain plants, like many solar plants and photovoltaic systems, are likely to be entirely unoperable and mothballed). Efficiency might be maintained by switching to turbine-based engines (say, steam turbines or gas turbines), but such a switch would drastically increase the cost and complexity of automobiles. Telephone companies in particular will have to hire many switchboard operators and we can expect to see call costs rise back to pre-AT&T breakup costs. A modern Cold War-style military such are our own is dependant on computers from everything from remote control drones to fighter planes to secure and rapid communications. And lastly, Slashdot would not be possible without computers.

That said, I feel that Sony is entirely responsible for what they did as they should have known better. Trojan horses being no-nos is just plain common sense and they serve no legitamite purpose. Sony purposefully wrote or purchased a program to have this function, and as Sony is in the software business they can be expected to be authorities on the subject and act accordingly (as opposed to patents which require substantial knowledge in law just to understand, no less safely navigate - and the cost of compliance is so high that no reasonable corporation can be expected to fully comply with them as it would entail disbanding the corporation in many instances)

Re:Another possibility exists...

[CowboyBob500]

A mom-and-pop store or a private individual cannot reasonable be expected to do a good faith patent search when choosing an operating system (MS Windows and Mac OS undoubtedly violate hundreds of software patents, and Linux violates thousands of patents if you include software commonly found in distros, like mp3 players - the mplayer project alone has close to 1,000 known patent violations and countless unknown violations). Legally every single user of a halfway modern OS should have injunctions granted against the use of their computer and massive damages be paid out to the dozens or hundreds of patent holders covering some aspect of their OS.

MPlayer, Linux, LAME etc etc, are perfectly legal here in the UK since software patents are not enforcable. The problem is not with the software, it's with the US patent system.

Bob

If this is true...

[julesh]

If this is true, then sony just lost them court cases we've been hearing about. Having been told about it and not issued a product recall at the earliest opportunity (i.e. within a day or two) means that they were intentionally subverting people's computers.

The only defence available to them was that they didn't realise this was happening. They've just lost that.

Impressions

[A+beautiful+mind]

When the Sony rootkit case first hit the news, I considered F-Secure to be quite good for an anti-virus company because they were reasonably quick adding the rootkit to their signature file.

They've just lost that credit for me. They knew for a month and were sitting on it! That is not acceptable. There should have been no warning to Sony, just a public statement from F-Secure at the beginning of October about the rootkit.

Re:Impressions

[Tmack]

Its called proffesional courtesey. If they immediatly notified the public, there would have been an exploit that many days sooner, before ANY action could be taken to fix it. This is the same as any MS or other exploit. Once a firm knows about it, they notify the software's management to fix it and wait a few days to release the news to the public. That gives the developers time to at least create a patch to prevent any further damage. Is it F-Secure's fault Sony did something stupid in the first place? Are you going to blame Semantic on the next exploit they find, tell microsoft about, and wait a few days before alerting the public? How about the IE bug just moved to cirtical status thats been around for many months, is that to be blamed on Secunia? They knew about it since june and waited until this weekend to escalate it to critical, only after a proof of concept was released.

Its easier to prevent a fire by notifying management to fix the sparking wires than to put one out after notifying a world full of pyros to come dump gasoline on it.

tm

Re:Impressions

This isn't the equivalent of a bug in IE. Sony deliberately infected their customers' computers with malware. Sure it was buggy malware but that's hardly the main issue. If you see a Sony executive breaking into someone's house, would you let the Sony exec know so that he could have a month to fix the problem before anyone else found out?

Re:Impressions

[pdschmid]

I think F-Secure's response was very appropriate. Imagine the following scenario: A serious flaw that could be exploited by a worm is discovered in Windows. All one needs to write a worm is to know some vague information about the flaw, e.g. where to look for it. A good programmer could write a worm in a day. A patch for the flaw takes longer to create, as it needs to pass some rigorous testing (after all the patch shouldn't break your Windows installation). So, what do you prefer? Immediate public disclose and a day later a worm infects windows installations all around the world? Or public disclosure concurrent with a patch from Microsoft which had been privately warned about it? I know I prefer the latter scenario. F-Secure was acting in the best interest of the people who had been infected by this rootkit. Sony BMG though had no interest in helping those people, because they were more interested in covering up their illegal doings. F-Secure would have gone public eventually. They would have not just sat there and watched Sony get away with it. However, they gave Sony BMG a reasonable chance in fixing the security holes, as they do give any other company rightly so. Patrick Schmid

Re:Impressions

[A+beautiful+mind]

Someone mod parent up.

The difference between a Microsoft security issue and the Sony rootkit is earth and sky.

If F-Secure would have identified a flaw in Microsoft's software, then it's ok if they give the company a grace period to get a patch ready.

There was no such patch to be prepared in the case of Sony.

The following things are sensible to be done when someone finds a new rootkit spreading in the wild:

• Identify it's source [Sony DRM on cd's - CHECK]
• Find a way to stop the infections/prevent further infections - this can be only done by forcing Sony to stop shipping infected cds - a public disclosure is essential. Also adding the rootkit to the signature file is required. [FAIL]
• Clean up the infections - most anti-virus companies write even small utilities to remove rootkits/viruses/trojans. [???]

Let's face it: By telling Sony about it and not going for public disclosure F-Secure accomplished nothing but let even more users get infected by this rootkit. Sony is not a software company, there wasn't a flaw in a software that needed to be fixed, but the software itself removed! That requires no cooperation on behalf of Sony.

As quickly as they could?

[Jerry+Coffin]

Sony BMG officials insist that they acted as quickly as they could,

In this case, "as quickly as they could" seems to really mean "as slowly as they could get away with."

How long is it going to be before these companies realize that attacking their customers and treating them like criminals really is NOT a good way to do business? Microsoft's "product activation", Sony's rootkit, etc. ad naseum do essentially nothing to stop real hackers from copying software, music, etc., as much as they want, so the only thing they really accomplish is hurting the legitimate customers.

These lousy business practices are reflected in their (lack of) sales too. I don't mean to say a boycott of Sony would necessarily be a bad thing, but for those who haven't looked, take a look at Sony's stock prices -- boycott or no, they're not exactly burning up the charts right now.

Now, Sony (etc.) will undoubtedly point to Napster and such as the reason they're not doing as well recently. I don't think that's the case. I think what's happened is that Sony is now concentrating more on forcing customers to pay than they are on producing things customers want. As is visible in their stock price, that simply leads to oblivion, not prosperity.

--
The universe is a figment of its own imagination.

Re:Proves public disclosure is the best for securi

[Concerned+Onlooker]

Until a security hole is widely published

I don't think this was a security hole so much as breaking and entering. I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.

Yeah...

[penguinbrat]

""Most people, I think, do not even know what a Rootkit is, so why should they care about it?"

You can just hear the urgency can't you...

Re:Proves public disclosure is the best for securi

[Al+Dimond]

I may be in the minority of /. readers: I don't really know the story of Mitnik. But if GP is accurate, he spent time in jail. You can't put a corporation in jail. $100,000 is a slap on the wrist; probably any fine that will be assessed is a slap on the wrist and probably is just a drop in the bucket of all the money that Sony will spend on legal matters in any given year. But if you fine a corporation enough to actually hurt it, a lot of innocent people lose jobs. So what's the solution to this?

The actual people that did the hacking were working for this "First4Internet" company. Anyone that designed, wrote or approved a part of the software deemed to be inappropriate could face jail time. There were people at Sony that approved this technology for use on CDs; they could face jail time. There were people at Sony that knew that their software included a rootkit and insecure kernel modifications, and yet claimed otherwise; they could face fraud charges (for an individual to say, "I am not a crook," is legal, but to knowingly lie about a product offered for sale is fraud). Anyone with much knowledge of the workings of this product should have known that it was illegal, just as Kevin Mitnik or any other cracker surely knows that whatever he does (like I said, I have no idea what it was that he did) is illegal. That would be equal justice.

Re:Don't forget Sony's other nasty DRM

[Braino420]

Just say NO to DRM. The only thing Sony seems to understand is lost sales.

Haven't you learned by now that any lost sales are blamed on piracy? Which means it will probably just lead to more DRM bullshit. I mean, it's gotten to the point where I can no longer justify buying a CD. Why shouldn't I be able to backup a cd I payed 20 bucks for? It will end up with me doing something illegal either way. It's cool because the stuff I download doesn't have DRM!