Rootkit redux: Sony doesn't learn from history

Remember the Sony/BMG rootkit scandal in 2005? It was all over the news how Sony/BMG was distributing rootkits with its DRM software on legitimately purchased music CDs. Of course, Sony eventually played the "left hand doesn't know what the right hand is doing" card and blamed it all on some programming contractor company that it had writing its DRM software for it. That excuse may not work twice.

I wonder how Sony is going to spin things this time. We now see that F-Secure's Deep-Guard software has detected rootkits in more software distributed with Sony products. It appears there are at least two rootkits being installed on customers' systems this time, adding insult to injury.

For those of you who aren't aware, a rootkit is software that hides the tracks of someone or something installing malware on your system and otherwise making unwanted or unauthorized changes -- often by hiding files from system utilities and/or eliminating log entries.

While the legal definition of "unauthorized" may not strictly apply to Sony's absurd DRM gymnastics if tested in court, in practice the simple fact of a rootkit existing on the system at all is certainly not something most people would ever authorize without at least being three sheets to the wind on some low-quality tequila. I'm talking about the same state of mind that leads to otherwise reasonable men getting obscene words tattooed on their foreheads when they go on a New Year's Eve bender.

In this particular instance, it appears that Sony is genuinely trying to provide some kind of service to its customers with the rootkit technology being used. It appears to be some kind of attempt at a security measure for biometric scanning technology, rather than DRM.

On the other hand, if this is an attempt at security, it's a terrible attempt: Sony is just buying into the security through obscurity fallacy -- lock, stock, and barrel -- if that's the case. So, in a badly executed attempt at providing customer security, Sony is not only using ineffective techniques to secure its software, but it's also introducing potential security risks in the form of ready-made rootkits! Wonderful.

Sony certainly isn't learning the right lessons from its past mistakes. Perhaps some executive looked at the plan for this software deployment and okayed it, thinking "Well, this isn't a rootkit embedded in some DRM software, so it's okay."

That's a bit like thinking you're secure from viruses just because you've installed an updated virus definitions database for your antivirus software -- completely ignoring the fact that exactly the same virus-exploitable vulnerabilities exist on your system, and all that's needed to exploit them again is to develop a slight variation on the same viruses to which you were previously susceptible.

In other words, Sony gets an F in Security Principles 101, which is effectively what I've been trying to teach over the last few weeks of entries here on TechRepublic's IT Security blog. Maybe some of its project managers should be reading this RSS feed.