Slashdot Mirror
Sony Warned Weeks Ahead of Rootkit Flap
pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."
So Sony was lying its collective arse off when saying it reacted as quickly as it could? This is news how?
Scramble? To contain the crisis?
They almost never admitted what they had done, and continually denied the dangers posed by this rootkit.
They only started the recall after people pointed out repeatedly that their "uninstaller" didn't, and recieved criticism from the government.
"as quickly as they could" my ass.
Of course, they could have been smarter and never released it to begin with.
Why didn't Slashdot tell us before?!
I think this is great evidence that early public disclosure is very important. At the minimum, the affected users can start using workarounds (turn off insecure systems) until fixes are available.
...when a company becomes bigger than its customer base.
So Sony was lying its collective arse off when saying it reacted as quickly as it could?
That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent.
I'm a big tall mofo.
Van Zant, Celine Dion, and Neil Diamond
They should have left the rootkit in place so we could download some good music directly to these misguided buyers' hard drives.
Not only is Sony not moving fast, NY AG Elliot Spitzer reports that affected CDs are still being sold at various retail outlets. I'm not sure how much control Sony has over recalling CDs at some Wally World in Drum Nebraska, but this snafu puts them right up there with Adobe in corporate arrogance and stupidity.
If this is true, then sony just lost them court cases we've been hearing about. Having been told about it and not issued a product recall at the earliest opportunity (i.e. within a day or two) means that they were intentionally subverting people's computers.
The only defence available to them was that they didn't realise this was happening. They've just lost that.
When the Sony rootkit case first hit the news, I considered F-Secure to be quite good for an anti-virus company because they were reasonably quick adding the rootkit to their signature file.
They've just lost that credit for me. They knew for a month and were sitting on it! That is not acceptable. There should have been no warning to Sony, just a public statement from F-Secure at the beginning of October about the rootkit.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. CDs by these artists should have been recalled anyway, rootkit or not.
"I'm a recall coordinator. My job was to apply the formula. It's simple arithmetic. It's a story problem. A new car built by my company leaves Boston traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now: Do we initiate a recall? You take the number of vehicles in the field (A) and multiply it by the probable rate of failure (B), multiply the result by the average out-of-court settlement (C). A times B times C equals X. If X is less than the cost of a recall, we don't do one."
The only thing more dangerous than a file named -rf is renaming it -rf\ /
In this case, "as quickly as they could" seems to really mean "as slowly as they could get away with."
How long is it going to be before these companies realize that attacking their customers and treating them like criminals really is NOT a good way to do business? Microsoft's "product activation", Sony's rootkit, etc. ad naseum do essentially nothing to stop real hackers from copying software, music, etc., as much as they want, so the only thing they really accomplish is hurting the legitimate customers.
These lousy business practices are reflected in their (lack of) sales too. I don't mean to say a boycott of Sony would necessarily be a bad thing, but for those who haven't looked, take a look at Sony's stock prices -- boycott or no, they're not exactly burning up the charts right now.
Now, Sony (etc.) will undoubtedly point to Napster and such as the reason they're not doing as well recently. I don't think that's the case. I think what's happened is that Sony is now concentrating more on forcing customers to pay than they are on producing things customers want. As is visible in their stock price, that simply leads to oblivion, not prosperity.
--
The universe is a figment of its own imagination.
The universe is a figment of its own imagination.
Wouldn't that be an upload?
This line makes me so increadibly mad. Wow, they offered to exchange something that could do damage to my finances and business for something that won't... something that they were hiding and SHOULDN'T have been on an AUDIO cd in the first place. Gee, thanks.
For all the flak that Microsoft gets in regards to security... at least they're bugs, by bad design or not. This is something Sony deliberately put into their products. I want heads to roll.
Download free e-books, lectures, and tutorials at bookgoldmine.com
I don't think this was a security hole so much as breaking and entering. I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.
http://www.rootstrikers.org/
Phony Sony put its CDs on a shelf
Phony Sony had a rootkit which installed itself.
But all of Sony's lawyers and all of Sony's PR men,
Could not put the integrity back into Sony again.
He who knows best knows how little he knows. - Thomas Jefferson
I disagree. I think F-Secure did great. I also think Mark Russinovich did great.
I think that it would have been much better if the news could have broken with a worken, well-engineered patch. This is always preferable. F-Secure was trying to make this happen. A month is not a long time. Yes, a lot of people were infected in that month; but a lot of people were infected anyway. F-Secure did a right thing.
On the other hand, Russinovich also did a right thing. This software was not a mistake; it was deliberate. People were getting infected and had no idea. Clearly, people should know about this. Clearly, the corporation did not give a rat's ass about their users.
I like responsible full disclosure: give the maker time to fix it, and publish with a patch when possible. But don't allow eternal "patch development," and make sure disclosure happens. There is room for disagreement among people of good will and high ethics.
Sony need not apply to that group,though.
What I say does not represent the views of my employers, my friends, my cats, or myself.
If you have a device driver named Sbcphid.sys (which shows up as a hidden non-plug-and-play device named Sbcphid when active), you've got MediaMax and should remove it.
Only the EFF has mentioned MediaMax in the various legal claims against Sony, and Sony has remained silent about it in public as well. Obviously they're not sorry about using DRM at all -- they're just sorry they got caught.
-- Old Man Kensey
""Most people, I think, do not even know what a Rootkit is, so why should they care about it?"
You can just hear the urgency can't you...
I may be in the minority of /. readers: I don't really know the story of Mitnik. But if GP is accurate, he spent time in jail. You can't put a corporation in jail. $100,000 is a slap on the wrist; probably any fine that will be assessed is a slap on the wrist and probably is just a drop in the bucket of all the money that Sony will spend on legal matters in any given year. But if you fine a corporation enough to actually hurt it, a lot of innocent people lose jobs. So what's the solution to this?
The actual people that did the hacking were working for this "First4Internet" company. Anyone that designed, wrote or approved a part of the software deemed to be inappropriate could face jail time. There were people at Sony that approved this technology for use on CDs; they could face jail time. There were people at Sony that knew that their software included a rootkit and insecure kernel modifications, and yet claimed otherwise; they could face fraud charges (for an individual to say, "I am not a crook," is legal, but to knowingly lie about a product offered for sale is fraud). Anyone with much knowledge of the workings of this product should have known that it was illegal, just as Kevin Mitnik or any other cracker surely knows that whatever he does (like I said, I have no idea what it was that he did) is illegal. That would be equal justice.
Nothing like trashing someone else to get modded up.
Aside from that, I guess the Sony case will be nothing like the Mitnick case as he was held without bail and spent time in solitary confinement. It seems a safe assumption that the Sony execs will suffer no similar fate. Not to mention the other poster here who points out that they are only facing a civil suit, not a criminal one.
http://www.rootstrikers.org/