Slashdot Mirror
Sony Warned Weeks Ahead of Rootkit Flap
pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."
This line makes me so increadibly mad. Wow, they offered to exchange something that could do damage to my finances and business for something that won't... something that they were hiding and SHOULDN'T have been on an AUDIO cd in the first place. Gee, thanks.
For all the flak that Microsoft gets in regards to security... at least they're bugs, by bad design or not. This is something Sony deliberately put into their products. I want heads to roll.
Download free e-books, lectures, and tutorials at bookgoldmine.com
I disagree. I think F-Secure did great. I also think Mark Russinovich did great.
I think that it would have been much better if the news could have broken with a worken, well-engineered patch. This is always preferable. F-Secure was trying to make this happen. A month is not a long time. Yes, a lot of people were infected in that month; but a lot of people were infected anyway. F-Secure did a right thing.
On the other hand, Russinovich also did a right thing. This software was not a mistake; it was deliberate. People were getting infected and had no idea. Clearly, people should know about this. Clearly, the corporation did not give a rat's ass about their users.
I like responsible full disclosure: give the maker time to fix it, and publish with a patch when possible. But don't allow eternal "patch development," and make sure disclosure happens. There is room for disagreement among people of good will and high ethics.
Sony need not apply to that group,though.
What I say does not represent the views of my employers, my friends, my cats, or myself.
I tried submiting this to Slashdot but apparently the editors didn't find it newsworthy.
d -use-xcp-to-protect-its-customers-but-wont/
http://www.benedelman.org/news/112105-1.html
http://www.downloadsquad.com/2005/11/23/sony-coul
Sony could use XCP to protect its customers, but won't
Spyware researcher Ben Edelman says that XCP, the software at the heart of Sony's rootkit fiasco, could also be used to inform Sony's customers that their computers have been compromised. Sony doesn't know whose computers are infected by their rootkit, but the XCP player software includes code for automatically fetching a banner from Sony's servers. Sony could easily use this to display a recall notice to the rootkit's victims, but are they going to? I seriously doubt it. While the whole affair has been gaining more and more traction with the media, Sony knows that the majority of its customers will never hear about any of it, and they want to keep it that way. While their recall was intended to be viewed as a good-faith gesture (and, indeed, there may be some actual good faith in there somewhere), the last thing Sony wants is for every Switchfoot fan to know how badly their record company screwed up their computer.
Nothing like trashing someone else to get modded up.
Aside from that, I guess the Sony case will be nothing like the Mitnick case as he was held without bail and spent time in solitary confinement. It seems a safe assumption that the Sony execs will suffer no similar fate. Not to mention the other poster here who points out that they are only facing a civil suit, not a criminal one.
http://www.rootstrikers.org/