Sony takes second stab at DRM patch

By Bill Brenner, News Writer 09 Nov 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Sony BMG Music Entertainment Inc. issued another patch for its rootkit-laced digital rights management (DRM) system Tuesday. But a top executive's response to the outcry over its use of the technology has only added fuel to the fire.

Users have been lashing out against Sony Global Digital Business President Thomas Hesse in such blogs as Techdirt and Digg over comments he made during an interview with National Public Radio. Asked about the public outcry over Sony's use of a rootkit in its DRM program to prevent CD copying, he said, "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

Hesse was contacted for this story by phone Tuesday, but he did not respond. IT professionals who were asked about the controversy said Sony's attempt to justify the use of rootkit technology is especially troubling.

Related Sony DRM news The rootkit of all evil?

"It never ceases to amaze me that companies will use techniques that are clearly unethical," Paul Schmehl, adjunct information security officer for the University of Texas at Dallas and a founding member of the Anti-Virus Information Exchange Network, said in an e-mail exchange. "Then, when confronted, instead of coming clean, they attempt to minimize the damage or criticize the researcher's findings."

All this does is motivate researchers to work "that much harder" to find the truth, he said, adding, "When the truth does come out, and it doesn't fit the company's version of the facts, the results can be catastrophic. Sony is now being sued. The lawsuit will generate even more publicity, none of which will make Sony look good."

So far, The Washington Post noted Tuesday, Sony faces a class-action lawsuit filed on behalf of California consumers who may have been harmed by Sony CDs in which the rootkit technology is used. A second, nationwide class-action lawsuit was expected to be filed against Sony in a New York court on Wednesday seeking relief for all U.S. consumers who have purchased such CDs, the paper added.

Todd Towles, a network systems analyst at a medium-sized, Southeastern-based retail chain, said in an e-mail exchange that Sony deserves the backlash because of:

• Its "obvious attempt" to mislead the casual user of the running software;
• Its "lack of information discourse" in their end user license agreement about the rootkit-type technology;
• Its claims that the software is harmless, even though the rootkit technology can be used to hide any system process with a simple rename -- a feature that reduces the overall security of a computer system; and
• The uninstaller the company and its British technology partner, First 4 Internet Ltd., issued last week only removes the cloaking techniques -- not the software or the DRM.

"It would seem to suggest that Sony either doesn't understand the security consequences of their actions or meant to mislead the public again about the security consequences of their rootkit technology," Towles said. "These issues could very well land Sony BMG in some very hot legal water… I am not a lawyer… but I can say it doesn't look good for Sony. As a privacy advocate, I take real issue with the line that Sony now appears to be flirting on."

Towles and Schmehl said they've been keeping track of developments by reading the blog of researcher Mark Russinovich at Sysinternals.com. Russinovich, chief software architect and co-founder of Winternals Software in Austin, Texas, found the rootkit on his own machine and wrote up an analysis of it on his blog, setting off the controversy.

In his most recent entry, Russinovich detailed a response he got from First 4 Internet rebutting several of the issues he raised. "Instead of admitting fault for installing a rootkit and installing it without proper disclosure, both Sony and First 4 Internet claim innocence," he said. "By not coming clean they are making clear to any potential customers that they are a not only technically incompetent, but also dishonest."

"His analysis of their response is pretty devastating," Schmehl said. "He has now proven that you can crash Windows using their aries.sys driver, which contradicts what they claim. Furthermore, one of the commenters in one of the threads has discovered that you can rename a CD ripper using the First 4 Internet clocking technique ($sys$filename) and completely bypass their DRM protection."

Tags: Security Patch Management,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary