Is Sony's rootkit just the tip of the iceberg?

By now, I would bet that the vast majority of TechRepublic members are familiar with the recent controversy over Sony BMG's notorious rootkit included on many of its CDs. As many regular readers of this column were quick to note, I didn't immediately chime in when the now-infamous rootkit issue became public knowledge.

Nor did I comment when follow-up news stories indicated that attempts to remove the First4Internet digital rights management (DRM) software apparently disabled the CD-ROM on Windows systems. I kept my silence when Sony's lame attempt to pacify customers by offering an uninstall tool for the DRM system left Windows systems vulnerable to a variety of attacks.

Even when reports of other interesting software showing up on Sony music CDs, such as SunnComm Technologies MediaMax, began to trickle in as well, I sat back and watched. But don't think for a minute that I ignored this issue—you should have known that I wouldn't keep quiet for long.

It's not that I didn't consider the recent Sony DRM fiasco to be worthy of writing about. However, it's important to remember that there's a far larger security issue at stake.

Commercial media and software companies seem to believe that they can do whatever they want with DRM technologies—and that users must accept it if they intend to use their products. These vendors apparently feel that protecting their digital assets is more important than consumers' rights to use their computers—or to keep them secure.

Many companies install software on users' computers—without either knowledge or consent. While only a few of these incidents make the headlines, the problem is far more common than you might think.

The irony of the Sony situation is that few mainstream users are intentional music thieves—most just want to listen to CDs on their computers. Sony likely paid millions to license this DRM technology, installing it to prevent ordinary users from stealing, who probably weren't interested in copying the music anyway.

But let's not forget the larger issue at hand: Sony apparently felt entitled to subvert users' rights in favor of its own. The average user doesn't know what installs or runs on his or her computer—and companies like Sony know it.

Personally, I didn't encounter any of the Sony copy-protected CDs, but they wouldn't have affected me even if I had. I disabled the ability of Windows to automatically run software from a CD shortly after I bought my laptop. By doing so, I prevented Sony and other like-minded companies from getting their hooks into my system.

Incidentally, DRM software wouldn't work on my Linux workstation either since it's not a Windows or Mac, and I can play music CDs all I want. In addition, you can also disable the feature known as Autostart on Apple systems and achieve similar results.

And some reports claim that a black marker or tape is also effective for stopping such copy protection. Of course, I may have just violated the Digital Millennium Copyright Act, (DMCA) by explaining how to circumvent the Sony DRM system.

So, in my opinion, the Sony debacle itself wasn't clearly an Internet security issue—until news surfaced of the botched rootkit-remover program that opened up Windows systems to other exploits. So yes, I was quiet at first; I wanted to see how this would all play out before weighing in.

The key point to remember is that this issue is larger than Sony: It's the fact that many companies feel free—even entitled—to change how computers work because they know few people will realize it.

Sony's fiasco aside, hidden software presents a huge amount of Internet security risks. Vendors that use these practices are taking advantage of the fact that most users believe companies wouldn't install software on their systems without prior consent—a very naïve assumption.

But the Sony rootkit is unfortunately just the tip of the iceberg. Think about it: How much software on your system decides to automatically run at startup and take it upon itself to "phone home"?

While many of these programs are innocuous, they can still represent quite a risk. How much longer until some black hat decides to hijack one of these programs and subvert it for his or her own nefarious use?

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.