Malware

Rootkit redux: Sony doesn't learn from history


Remember the Sony/BMG rootkit scandal in 2005? It was all over the news how Sony/BMG was distributing rootkits with its DRM software on legitimately purchased music CDs. Of course, Sony eventually played the "left hand doesn't know what the right hand is doing" card and blamed it all on some programming contractor company that it had writing its DRM software for it. That excuse may not work twice.

I wonder how Sony is going to spin things this time. We now see that F-Secure's Deep-Guard software has detected rootkits in more software distributed with Sony products. It appears there are at least two rootkits being installed on customers' systems this time, adding insult to injury.

For those of you who aren't aware, a rootkit is software that hides the tracks of someone or something installing malware on your system and otherwise making unwanted or unauthorized changes -- often by hiding files from system utilities and/or eliminating log entries.

While the legal definition of "unauthorized" may not strictly apply to Sony's absurd DRM gymnastics if tested in court, in practice the simple fact of a rootkit existing on the system at all is certainly not something most people would ever authorize without at least being three sheets to the wind on some low-quality tequila. I'm talking about the same state of mind that leads to otherwise reasonable men getting obscene words tattooed on their foreheads when they go on a New Year's Eve bender.

In this particular instance, it appears that Sony is genuinely trying to provide some kind of service to its customers with the rootkit technology being used. It appears to be some kind of attempt at a security measure for biometric scanning technology, rather than DRM.

On the other hand, if this is an attempt at security, it's a terrible attempt: Sony is just buying into the security through obscurity fallacy -- lock, stock, and barrel -- if that's the case. So, in a badly executed attempt at providing customer security, Sony is not only using ineffective techniques to secure its software, but it's also introducing potential security risks in the form of ready-made rootkits! Wonderful.

Sony certainly isn't learning the right lessons from its past mistakes. Perhaps some executive looked at the plan for this software deployment and okayed it, thinking "Well, this isn't a rootkit embedded in some DRM software, so it's okay."

That's a bit like thinking you're secure from viruses just because you've installed an updated virus definitions database for your antivirus software -- completely ignoring the fact that exactly the same virus-exploitable vulnerabilities exist on your system, and all that's needed to exploit them again is to develop a slight variation on the same viruses to which you were previously susceptible.

In other words, Sony gets an F in Security Principles 101, which is effectively what I've been trying to teach over the last few weeks of entries here on TechRepublic's IT Security blog. Maybe some of its project managers should be reading this RSS feed.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

35 comments
filker0
filker0

A lot of the discussion here harkens back to Sony's consumer products and the BMG rootkit fiasco. Ever since Sony purchased Capitol Records, they've had a conflict of interest that has degraded their audio (and now video) recording products. The use of DAT for music (in the consumer equipment) was compromised by early DRM attempts. The MiniDisc recorder format not only had a generation counter, they stopped making it possible to get a clean digital transfer by removing the optical outs very early; the USB transfer mechanism was DRM encumbered, making it impossible to make a digital transfer from a live recording to CDR or MP3. This is just a sample of the marketing stupidity that Sony has shown. They have good engineers, it seems, but these engineers are forced to degrade the consumer products because the music and entertainment division is averse to anything that might allow someone to "pirate" their IP. (These folks seem to consider "fair use" to be "piracy".) As for the current case, this time it's a aggregiously bad choice of technology to serve a purpose that is, in itself, not against the best interests of the customer. My guess is that their software team is not very good at predicting the consequences of their design choices. They knew how to do it (hide the directory with the data they wanted to protect), it solved (protect the data) the problem they were asked to solve (actually, it didn't solve the problem, but they thought it did), so they did it that way. This was probably not even cleared by upper management or legal; they just did it and nobody within the organization objected. "This is a technology so powerful that it can only be used for good or evil!" Unfortunately, this sort of short-sighted thinking is common (if not dominant) in the current software development world. Usually, it simply introduces security or performance problems while the defective software is being run (or at least installed); in this case, it enables other software to leverage it's defects without ever even being present on the victim's system. Bad oversight, no cookie, and no trust from people like us. It's not so much that Sony doesn't learn from history, it's that they're unable to see analogies, so nobody at Sony even made a connection between the two bits of software until someone pointed it out to them.

chained1
chained1

cant belive u didnt say what sony software puts rootkits on pc's...crap journalism by you

boony
boony

Back in the 80's, I remember telling my friends "My dad bought a new TV. A Trinitron". Mentioning that model, and the Sony brand name, would illicit genuine oohs and ahs, and cries of "Can we see it?" Buying a Sony meant you were willing to pay a little more (or a lot) for the very best. These days if you say "I bought a Sony", people look at you like you're a schmuck who throws his money away on overpriced crap. Granted, this is due, in part, to competing brands that match or surpass Sony's quality for a lower price. However, a great deal of the derisive laughter you'll receive is due to Sony continually shooting itself in the foot, or feet, as it turns out.

mikifinaz1
mikifinaz1

I buy my "stuff" from other companies now.

nectarinehorse355
nectarinehorse355

you would think Sony would learn from the past, well maybe they have. After all, guys, remember when you experienced a heavy petting session? She didn't let you kiss, grope and foddle all at once, did she? You had to work your charms slowly to break down her resistance. Looks like Sony is trying to treat us like a go-all-the-way-on-the-first-date. This is the very reason I won't even buy Sony hardware for any of my rigs, and recommend against it to anyone that asks.

jimglewis
jimglewis

You got that right. By the way, Chad. The statement: "...being three sheets to the wind on some low-quality tequila." SHOULD be: "being three sheets IN the wind on some low-quality tequila." Sheets are actually the lines used to tie down the sails. If not tied down, then they're flapping IN the wind and the ship wobbles about like a drunken sailor. Just thought you'd like to know. - - -Jim

psycho
psycho

I quit buying any Sony product in 05 after the first rootkit. Also have been telling anyone who will listen what they did.

xmatelot
xmatelot

If Sony can't comprehend that they are way off in their thinking, then boycot Sony and thier products! Let the SOBs die as broke criminals.

HarryW1
HarryW1

Simple solution...DON'T BUY ANYTHING RELATED TO SONY!

BALTHOR
BALTHOR

The 'software company' tells you what you need to do,you check with your legal team,and then do it.Somebody has to have a truth sensing ability because the computer industry is loaded with lies.

apotheon
apotheon

While I appreciate your attempt to contribute to the discussion, I recommend you visit the sites linked from the article, as they can answer your questions about the products in question. I did not feel it necessary to merely repeat what was already reported by others, and instead merely referred to it so that I could raise the subject of the implications of Sony's behavior. Thanks for your time.

t.rohner
t.rohner

i bought a Walkman DD in 82. This device was superbly engieered. It was small, but at the time i bought it, there was a even smaller one from Panasonic. I bought it because you could jump and run with it, without changing it's speed. Most other cassette players tried to keep the capstan speed constant with a mass system. This is ok for stationary systems, but doesn't work in a Walkman. I found out, what DD meant name, when i opened it for the first time. Instead of a rotating mass, they had a plastic disk, driven by a very small motor. Since this system had almost no mass to speak of, it coud be easily regulated by a PID circuit. In those 5 years i used it extensivly, i had to change the head 3 times, it was just so ground down. I haven't calculated the hours, it had to play for me, but they were lots. One of my buddies bought the Panasonic, but it broke down in the first year he had it. I then gave My WM to my sister, but it got lost or stolen after a year or so. That was the time, when Sony was ahead of the pack. I have to admit, that i have a sony mobile phone now, after beein pissed by Nokia. This phone just works and that's what i'm looking for. The only negative thing i could say, it doesn't have a SD card but their proprietary Memory stick. But then, it was already installed when i got the phone. When this whole shit with copy protection on audio cd's started, i bought a Yamaha F1E Burner. It just rips everything i tried up until now. I don't want to pirate, but i may want my sound on my Nomad player or on "disposable" CD's in the car and this is still legal where i live. Many companies get strange, when success kicks in. They need to be brought to reason somehow. Either the listen to their customers or go bankrupt sooner or later.

GentleRF
GentleRF

I'd sooner have a big black dog up me than Sony in my wallet because at least I would be get screwed by something I can recognize on the street and both of us could take some small pleasure from the act.

kburch
kburch

Yep I had a similar issue with a Sony VGN AX-570G Laptop I bought in 2005. From the beginning it was a lemon. They did not care just kept taking it for weeks at a time for "Repairs". They then wanted to extort more money with an extended warantee for a computer that never worked correctly from the beginning. I now own a Sony doorstop with a bad motherboard (it had been replaced once already). Gotta love Sony and their stance for Quality products and Customer Support!!!

apotheon
apotheon

From about a dozen different sources over the course of my life, I've always heard it "to". I had the impression the meaning was that the three sheets were basically "given" to the wind, since they're otherwise "in" the wind whether they're tied down or not. My obsessive-compulsive side wants to go do some more research on the phrase, now.

marquis
marquis

I.ve always wondered just what that means.

RNR1995
RNR1995

The only thing corporate America understands is the all mighty dollar. I also have not purchased anything that says $ony on it since the first fiasco I never really thought any of their products were all that great anyway, except for my Discman ( now how long ago was that purchased!) LOL I agree with you all VOTE WITH YOUR WALLET!

robertbrown
robertbrown

...and I take a very dim view with my users who introduce rootkits to the agency.

lastchip
lastchip

Ever since the original root kit episode, I simply don't buy their products. Don't trust 'em! What was once a world class excellent company, has completely lost its way.

apotheon
apotheon

Two public rootkit fiascoes and exploding laptop batteries add up to a big fat "no thanks" for me.

ddh
ddh

means run it by a para-legal in the office who slides it under the nose for a signature by a junior legal eagle! Think again! Legal departments are not all that hot!!!

challenger-440
challenger-440

I used to be a diehard Sony fan but the old gaurd has moved on and the people in charge now don't mind screwing their customers because they have so many ignorant ones. When I was looking to buy a camcorder I was looking at consumer reports and they stated that the dvd camcorder had a defective carl zeiss lens that made the border blury all the way around. This was a $1200 camcorder and Sony's reply was to bad. They wanted people to put it on their computer, blow it up and cut that part out. FOR A $1200 DEVICE YOU SHOULDN'T HAVE TO DO THIS. THIS IS JUST PROOF SONY DOESN'T GIVE A RIP ABOUT ITS CUSTOMERS.

gesn
gesn

For those interested....... Our colleagues at CANOE, the Committee to Ascribe a Nautical Origin to Everything, have been hard at work and, to their great pleasure, they can add this phrase to their list. Three sheets to the wind (or three sheets in the wind) is indeed a nautical expression. To understand this phrase we need to enter the arcane world of nautical terminology. Little is as it seems when onboard ship, so it's no big surprise that sheets aren't sails as landlubbers might expect, but ropes, or occasionally, chains. These are fixed to the lower corners of sails, to hold them in place. If three sheets are loose and blowing about in the wind then the boat will lurch about like a drunken sailor. The earliest printed citation is Pierce Egan Real life in London, 1821: "Old Wax and Bristles is about three sheets in the wind." The earliest that makes the association with drunkenness is Richard Dana Jr's Two years before the mast, 1840: "He seldom went up to the town without coming down 'three sheets in the wind'." http://www.phrases.org.uk/meanings/380500.html

Neon Samurai
Neon Samurai

sheets *to* the wind as in let go to the wind which would result in the same outcome on a boat. Either way seems to work far as I can tell though.

martin_ozolin
martin_ozolin

Reminds me of negative option billing with a technological twist. When I have to spend hours keeping a computer clean in order to use a few seconds of dial-up time for e-mail, it is evident that home entertainment and IT are strange bedfellows.

stunttnt
stunttnt

During installation of software that came with Sony's DVD RW DRU-510A, a friend who took over while I answered a phone call, failed to notice a radio button being checked BY DEFAULT on change all drives to SCSI. What a nightmare. It was a very hard lesson to ALWAYS create a back-up point prior to even external device installations. Sony provided NO HELP in resolving the registry problems created by their software. I'll NEVER buy another device produced by Sony.

apotheon
apotheon

I think the only response to an appalling attitude toward customer service like Sony's, as demonstrated in your example of the $1200 camcorder, is to return the piece of garbage and buy something from a competitor. Vote with your wallet.

apotheon
apotheon

I appreciate both the historical correction [b]and[/b] the biting sarcasm.

GentleRF
GentleRF

While I do have a couple of Sony devices, I'm not so fiscally robust as to throw them out. Yes, they are DVD-RW/DL drives, but I knew what I was getting into when I bought them. Driver-wise, I didn't have to install any since I am running a Mac. I will however for future purchases buy another brand especially since the current ones don't even work with Sony's own discs all that well.

apotheon
apotheon

"[i]And like the current lineup of presidential hopefulls, the corporate cadidacy for high standards seems mighty sparce.[/i]" Actually, there's at least one major party candidate for President that is not only not too bad, but actually [b]really good[/b], as far as I'm concerned. I find this absolutely mind-boggling, considering that I haven't seen a "major party" candidate for whom I could justify voting, even with a gun to my head, for many years.

Neon Samurai
Neon Samurai

Had to through that joke in there. In my case, there isn't really anything else I'd get by choosing Panasonic over Sony. More humour: Q. what are the chances Sony would sell a UX with no preinstalled OS? A. bahahahahaaa.. hehe.. ok I'm done, it's just one of those days.

darwin
darwin

Voting with your wallet is a fine concept. Unfortunately, for this concept to work properly there must be a candidate worth voting for. And like the current lineup of presidential hopefulls, the corporate cadidacy for high standards seems mighty sparce. You can, for instance, vote against Sony and buy Panasonic. Thereby punishing one offender and rewarding another. What have you accomplished?

Editor's Picks