The world’s foremost security expert, Bruce Schneier, writes about the Sony DRM rootkit controversy – and what the interesting questions are which we should ask. To summarise: Sony bundles a rootkit on their music cds which secretly installs itself on buyer’s computers (without telling them) to prevent them copying the cd more than 3 times (i.e. the product they’ve designed to protect copyright infringement may itself have infringed on copyright). However, a rootkit is malware (not nice software) and can correctly be classified as a virus.
In response to a blogging-led outcry, Sony has shown its disdain for its customers (“Most people don’t even know what a rootkit is, so why should they care about it?”), has barely scraped together an apology and its software “fix” doesn’t remove the rootkit, only its ability to hide itself. However, they have agreed to stop manufacturing cds with this software on it as well as replace all infected cds. But, according to Schneier, that’s not the real story…
The heart of it is this: given that the rootkit has been “in-the-wild” for over a year – and it’s infection numbers make it one of the most serious internet epidemics of all time – what do you think of your antivirus company which hasn’t detected it? After all, this is what you pay them for, right?
When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case. McAfee and Symantec took a long time to respond and their fixes don’t actually remove the rootkit, just the cloaking.
“The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization.
What happens when the creators of malware collude with the very companies we hire to protect us from that malware?
We users lose, that’s what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.
Who are the security companies really working for? It’s unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?
These questions are the real story, and we all deserve answers.”
Indeed we do. Still comfortable Norton Antivirus is protecting you?
On a side note, this whole story was broken via blogs (and probably won’t even make it into mainstream media here in South Africa). Blogs are indeed powerful!