By now, I would bet that the vast majority of TechRepublic
members are familiar with the recent controversy over Sony BMG’s
notorious rootkit included on many of its CDs. As many regular readers of
this column were quick to note, I didn’t immediately chime in when the now-infamous rootkit
issue became public
knowledge.

Nor did I comment when follow-up news stories indicated that
attempts to remove the First4Internet digital rights management (DRM) software apparently
disabled the CD-ROM on Windows systems. I kept my silence when Sony’s lame
attempt to pacify customers by offering an uninstall tool for the DRM system left
Windows systems vulnerable
to a variety of attacks.

Even when reports of other interesting software showing up
on Sony music CDs, such as
SunnComm Technologies MediaMax, began to trickle in as well,
I sat back and watched. But don’t think for a minute that I ignored this issue—you
should have known that I wouldn’t keep quiet for long.

It’s not that I didn’t consider the recent Sony DRM fiasco
to be worthy of writing about. However, it’s important to remember that there’s
a far larger
security issue at stake.

Commercial media and software companies seem to believe that
they can do whatever they want with DRM technologies—and that users must accept
it if they intend to use their products. These vendors apparently feel that
protecting their digital assets is more important than consumers’ rights to use
their computers—or to keep them secure.

Many companies install software on users’ computers—without either
knowledge or consent. While only a few of these incidents make the headlines,
the problem is far more common than you might think.

The irony of the Sony situation is that few mainstream users
are intentional music thieves—most just want to listen to CDs on their computers.
Sony likely paid millions to license this DRM technology, installing it to
prevent ordinary users from stealing, who probably weren’t interested in copying
the music anyway.

But let’s not forget the larger issue at hand: Sony apparently
felt entitled to subvert users’ rights in favor of its own. The average user doesn’t
know what installs or runs on his or her computer—and companies like Sony know
it.

Personally, I didn’t encounter any of the Sony copy-protected
CDs, but they wouldn’t have affected me even if I had. I disabled the ability
of Windows to automatically run software from a CD shortly after I bought my
laptop. By doing so, I prevented Sony and other like-minded companies from
getting their hooks into my system.

Incidentally, DRM software wouldn’t work on my Linux
workstation either since it’s not a Windows or Mac, and I can play music CDs
all I want. In addition, you can also disable the feature known as Autostart on
Apple systems and achieve similar results.

And some reports claim that a black marker or tape is also
effective for stopping such copy protection. Of course, I may have just
violated the Digital
Millennium Copyright Act, (DMCA) by explaining how to circumvent the Sony
DRM system.

So, in my opinion, the Sony debacle itself wasn’t clearly an
Internet security issue—until news surfaced of the botched rootkit-remover
program that opened up Windows systems to other exploits. So yes, I was quiet
at first; I wanted to see how this would all play out before weighing in.

The key point to remember is that this issue is
larger than Sony: It’s the fact that many companies feel free—even
entitled—to change
how computers work because they know few people will realize it.

Sony’s fiasco aside, hidden software presents a huge amount of
Internet security risks. Vendors that use these practices are taking advantage
of the fact that most users believe companies wouldn’t install software on
their systems without prior consent—a very naïve assumption.

But the Sony rootkit is unfortunately just the tip of the
iceberg. Think about it: How much software on your system decides to
automatically run at startup and take it upon itself to “phone home”?

While many of these programs are innocuous, they can still
represent quite a risk. How much longer until some black hat decides to hijack
one of these programs and subvert it for his or her own nefarious use?

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.