Sony Warned Weeks Ahead of Rootkit Flap

← Back to Stories (view on slashdot.org)

Sony Warned Weeks Ahead of Rootkit Flap

Posted by Zonk on Tuesday November 29, 2005 @06:25AM from the going-a-little-slowly dept.

pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."

18 of 335 comments (clear)

What a load by Microlith · 2005-11-29 06:28 · Score: 5, Insightful

Scramble? To contain the crisis?

They almost never admitted what they had done, and continually denied the dangers posed by this rootkit.

They only started the recall after people pointed out repeatedly that their "uninstaller" didn't, and recieved criticism from the government.

"as quickly as they could" my ass.

Of course, they could have been smarter and never released it to begin with.
Sony made a rootkit? by Winckle · 2005-11-29 06:28 · Score: 5, Funny

Why didn't Slashdot tell us before?!
Proves public disclosure is the best for security by Anonymous Coward · 2005-11-29 06:28 · Score: 5, Insightful

Until a security hole is widely published (not privately communicated) it's very likely to continue spreading unchecked.

I think this is great evidence that early public disclosure is very important. At the minimum, the affected users can start using workarounds (turn off insecure systems) until fixes are available.
Thats what happens... by Anonymous Coward · 2005-11-29 06:28 · Score: 5, Funny

...when a company becomes bigger than its customer base.
Another possibility exists... by bigtallmofo · 2005-11-29 06:28 · Score: 5, Insightful

So Sony was lying its collective arse off when saying it reacted as quickly as it could?

That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent.

--
I'm a big tall mofo.
1. Re:Another possibility exists... by CowboyBob500 · 2005-11-29 10:11 · Score: 5, Insightful
  
  A mom-and-pop store or a private individual cannot reasonable be expected to do a good faith patent search when choosing an operating system (MS Windows and Mac OS undoubtedly violate hundreds of software patents, and Linux violates thousands of patents if you include software commonly found in distros, like mp3 players - the mplayer project alone has close to 1,000 known patent violations and countless unknown violations). Legally every single user of a halfway modern OS should have injunctions granted against the use of their computer and massive damages be paid out to the dozens or hundreds of patent holders covering some aspect of their OS.
  
  MPlayer, Linux, LAME etc etc, are perfectly legal here in the UK since software patents are not enforcable. The problem is not with the software, it's with the US patent system.
  
  Bob
  
  --
  Listen to my latest album here
They shouldn't have recalled the CDs by Pac · 2005-11-29 06:29 · Score: 5, Funny

Van Zant, Celine Dion, and Neil Diamond

They should have left the rootkit in place so we could download some good music directly to these misguided buyers' hard drives.
Still on the Shelves by Anonymous Coward · 2005-11-29 06:30 · Score: 5, Informative

Not only is Sony not moving fast, NY AG Elliot Spitzer reports that affected CDs are still being sold at various retail outlets. I'm not sure how much control Sony has over recalling CDs at some Wally World in Drum Nebraska, but this snafu puts them right up there with Adobe in corporate arrogance and stupidity.
Impressions by A+beautiful+mind · 2005-11-29 06:31 · Score: 5, Insightful

When the Sony rootkit case first hit the news, I considered F-Secure to be quite good for an anti-virus company because they were reasonably quick adding the rootkit to their signature file.

They've just lost that credit for me. They knew for a month and were sitting on it! That is not acceptable. There should have been no warning to Sony, just a public statement from F-Secure at the beginning of October about the rootkit.

--
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
1. Re:Impressions by Anonymous Coward · 2005-11-29 07:00 · Score: 5, Insightful
  
  This isn't the equivalent of a bug in IE. Sony deliberately infected their customers' computers with malware. Sure it was buggy malware but that's hardly the main issue. If you see a Sony executive breaking into someone's house, would you let the Sony exec know so that he could have a month to fix the problem before anyone else found out?
2. Re:Impressions by A+beautiful+mind · 2005-11-29 07:20 · Score: 5, Insightful
  Someone mod parent up.
  
  The difference between a Microsoft security issue and the Sony rootkit is earth and sky.
  
  If F-Secure would have identified a flaw in Microsoft's software, then it's ok if they give the company a grace period to get a patch ready.
  
  There was no such patch to be prepared in the case of Sony.
  
  The following things are sensible to be done when someone finds a new rootkit spreading in the wild:
  
  Identify it's source [Sony DRM on cd's - CHECK]
  
  Find a way to stop the infections/prevent further infections - this can be only done by forcing Sony to stop shipping infected cds - a public disclosure is essential. Also adding the rootkit to the signature file is required. [FAIL]
  
  Clean up the infections - most anti-virus companies write even small utilities to remove rootkits/viruses/trojans. [???]
  
  Let's face it: By telling Sony about it and not going for public disclosure F-Secure accomplished nothing but let even more users get infected by this rootkit. Sony is not a software company, there wasn't a flaw in a software that needed to be fixed, but the software itself removed! That requires no cooperation on behalf of Sony.
  --
  It takes a man to suffer ignorance and smile
  Be yourself no matter what they say
recalled? by wazzles · 2005-11-29 06:31 · Score: 5, Funny

It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. CDs by these artists should have been recalled anyway, rootkit or not.
Re:Obligatory by nb+caffeine · 2005-11-29 06:45 · Score: 5, Funny

What car company do you work for?

--

"Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
Re:So corporations still lie.... by Anonymous Coward · 2005-11-29 07:15 · Score: 5, Interesting

I tried submiting this to Slashdot but apparently the editors didn't find it newsworthy.

http://www.benedelman.org/news/112105-1.html
http://www.downloadsquad.com/2005/11/23/sony-could -use-xcp-to-protect-its-customers-but-wont/

Sony could use XCP to protect its customers, but won't

Spyware researcher Ben Edelman says that XCP, the software at the heart of Sony's rootkit fiasco, could also be used to inform Sony's customers that their computers have been compromised. Sony doesn't know whose computers are infected by their rootkit, but the XCP player software includes code for automatically fetching a banner from Sony's servers. Sony could easily use this to display a recall notice to the rootkit's victims, but are they going to? I seriously doubt it. While the whole affair has been gaining more and more traction with the media, Sony knows that the majority of its customers will never hear about any of it, and they want to keep it that way. While their recall was intended to be viewed as a good-faith gesture (and, indeed, there may be some actual good faith in there somewhere), the last thing Sony wants is for every Switchfoot fan to know how badly their record company screwed up their computer.
Don't forget Sony's other nasty DRM by Old+Man+Kensey · 2005-11-29 07:17 · Score: 5, Informative

Lest we forget, Sony is still shipping CDs with SunnComm's MediaMax DRM on them -- ten times as many as the XCP rootkit, in fact (that's 20 million CDs at last count, for those keeping score at home). It's still just as easy to defeat as it was in 2003, but if you make the mistake of letting it install like my wife did, it's fairly nasty. In particular it actually installs before you agree to the EULA -- the only difference between agreeing and declining is that if you decline, the software is not activated (but it remains installed).
If you have a device driver named Sbcphid.sys (which shows up as a hidden non-plug-and-play device named Sbcphid when active), you've got MediaMax and should remove it.
Only the EFF has mentioned MediaMax in the various legal claims against Sony, and Sony has remained silent about it in public as well. Obviously they're not sorry about using DRM at all -- they're just sorry they got caught.

--
-- Old Man Kensey
1. Re:Don't forget Sony's other nasty DRM by Braino420 · 2005-11-29 08:58 · Score: 5, Insightful
  
  Just say NO to DRM. The only thing Sony seems to understand is lost sales.
  Haven't you learned by now that any lost sales are blamed on piracy? Which means it will probably just lead to more DRM bullshit. I mean, it's gotten to the point where I can no longer justify buying a CD. Why shouldn't I be able to backup a cd I payed 20 bucks for? It will end up with me doing something illegal either way. It's cool because the stuff I download doesn't have DRM!
  
  --
  They call me the wookie man, I guess that's what I am
Yeah... by penguinbrat · 2005-11-29 07:19 · Score: 5, Insightful

""Most people, I think, do not even know what a Rootkit is, so why should they care about it?"

You can just hear the urgency can't you...
Re:Proves public disclosure is the best for securi by Al+Dimond · 2005-11-29 07:31 · Score: 5, Insightful

I may be in the minority of /. readers: I don't really know the story of Mitnik. But if GP is accurate, he spent time in jail. You can't put a corporation in jail. $100,000 is a slap on the wrist; probably any fine that will be assessed is a slap on the wrist and probably is just a drop in the bucket of all the money that Sony will spend on legal matters in any given year. But if you fine a corporation enough to actually hurt it, a lot of innocent people lose jobs. So what's the solution to this?

The actual people that did the hacking were working for this "First4Internet" company. Anyone that designed, wrote or approved a part of the software deemed to be inappropriate could face jail time. There were people at Sony that approved this technology for use on CDs; they could face jail time. There were people at Sony that knew that their software included a rootkit and insecure kernel modifications, and yet claimed otherwise; they could face fraud charges (for an individual to say, "I am not a crook," is legal, but to knowingly lie about a product offered for sale is fraud). Anyone with much knowledge of the workings of this product should have known that it was illegal, just as Kevin Mitnik or any other cracker surely knows that whatever he does (like I said, I have no idea what it was that he did) is illegal. That would be equal justice.