Security·4,716 discussions

Not Just Sony to Blame – Security Companies’ Catastrophic Failure

Locked

While it is easy and valid to blame Sony for this problem, where were our beloved, and well-paid security companies?

Rootkits are an old, well-known attack – why didn’t Zone Alarm, Symantec, MacAffee, Computer Associates, or any of the others pick this up in the MONTHS that it has been out there?

This is either incompetence or collusion – neither should make someone who paid $70 + $20/year for a “security suite” to protect their computer happy.

The professional “security” industry created this problem and didn’t detect it… shame on us all.

Steven B. Davis
CEO
IT GlobalSecure Inc.
http://www.secureplay.com/
http://www.playnoevil.com

Topic

Excellent point

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

This is an excellent point, which lead me to another.

In this modern day of business, it’s not the customer that brings in the cash it’s the various alliances and licensing agreements with other corporations that brings in the big cash.

I see the consumer beginning to be looked upon as a necessary evil in marketplace. Even though, without the consumer, there would be no marketplace.

I would bet that lots of people around conference room tables knew about this rootkit, but corporations were so keen on not affecting their cash cow corporate alliances that no one said or leaked anything.

Nothing happened until this reached the point of a somewhat widespread media attention. I still have yet to see something of this on the evening news though.

The whole thing stinks to high heaven, but I’m sure heads have rolled at SonyBMG for this.

I agree

In reply to Excellent point

I read somewhere today,that Phillips even said that Sony’s little root-kit “discs” were’nt even true cd’s,in the correct definition of them.No,Sony went out on a limb on this,were maybe warned behind the scenes what would happen,and zing…total catastrophe.Even MS have basically blown a raspberry at them,and are no doubt sniggering behind the scenes.I bet Sony shares nosedive in the next few weeks.Do I shed a tear.Not one jot.Hell,they could have trashed my pc,and ruined many months of stored data.

It was posted by Fox News

In reply to Excellent point

While I do not know anything about the evening news due to never wasting my time with them, I do know that http://www.foxnews.com has posted articles about it and has been giving updates on the progress of the story.

Symantec Rant

In reply to Excellent point

Seems to me these guys are simply clipping coupons. Supplying us with minimum protection and charging exorbitant fees.

More than once I have wondered why the hell I am paying so much money to Symantec. Last time I called tech support using my “Gold” account, I was told the hold time would be at least 1.5 HOURS!

I think it’s time they got off their asses and started developing products that actually afford something other than one dimensional protection.

express yourself

In reply to Excellent point

Express yourself! Our crew of thousands works 24/7 to give you the best music label and artist sites. If you like what we’re doing, or you think we could be doing something better, please let us know. We appreciate all feedback, although we aren’t able to respond to all of it.
Thanks for your feedback! Your input will help us to make a better Sony Music Online
I think that everyone should alse send a complaining eMail to every sony email address you can find, daily for the next 90 days.
should raise a stink.

the following is a link to Sony Music Feedback page
http://www.sonymusic.net/sony/feedback.cgi

AND
here are som sony email addresses.
General Comments: SonyMusicOnline@sonymusic.com
Website Technical Problem: SonyMusicOnline@sonymusic.com
Columbia Records: feedback@columbiarecords.com
Epic Records: feedback@epicrecords.com
Legacy Recordings: LegacyOnline@sonymusic.com
Sony Music Nashville: SonyMusicOnline@sonymusic.com
Sony Classical: feedback@sonyclassical.com
Sony Wonder: SonyWonder@sonymusic.com
Sony Music Store: SMFCustomer_Services@sonymusic.com
Sony Music Custom Marketing: smsp@sonymusic.com

Scotch tape
http://informationweek.com/story/showArticle.jhtml?articleID=174400748

Corporations, News and Sony

In reply to Excellent point

I think one reason we didn’t see it on the news is that it is not in corporate interests to do so. Whether it is collusion is probably difficult to prove but self-sensorship is very strong within contemporary corporate structure. And we the consumer? Individually we don’t count! Well, some do to be fair.

I would expect zone alarm to popup an unknown on kit call home

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

I would expect that ZoneAlarm would have warned on call home of the kit. Unless Sony did with ZA like they did with Symantec, worked with the venders to identify their product and components and so not alarm as to what they were doing.

I would have still expected Zonealarm to alerted me to the traffic *but* once trusted, it becomes a difficult issue for ZA to track and catch something … and if its using IE… then ZA trusts IE to use other components to do network access and that would be why these could slip by zone alarm.

its allow-all on approved policy

In reply to I would expect zone alarm to popup an unknown on kit call home

theres an IT paper on it, policies should be deny-all then let the user explicitly allow only what is needed. for example, to put it to the barest, you only need http, smtp and pop3. then per protocol, which programs will use it. you only look at the good that you need.

on the other hand, virus scanners fail if they dont have the signature of the bad program, even with their heuristics. why? they look for the bad only. with additional hackers coming online, you would guess they can never sleep at all.

add allow only specific pop3, smtp, etc

In reply to its allow-all on approved policy

in your “for example” … that rule for pop should be specified to allow only pop to your pop servers.. smtp to your *known* smtp servers..

and before outlook 2002/3 hit with the option to disable graphics in email.. I had already specified that outlook.exe was not allowed to http anywhere but special sites (microcenter.com, bestbuy.com …. places I get sales email from)

even the new outlook doesn’t do that.. so as to stop graphics from someplace else.. (although phishers use original graphics from their respective sites)

Group policy here also is …

In reply to add allow only specific pop3, smtp, etc

… that you don’t get to FTP anything from anywhere, anyhow, anyway.

good point

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

One of things that make you go hmmmm.

not quite

In reply to good point

That’s one of the things that makes me go “GRRRR”!

Little if any inderstanding

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

Security companies can only react to threats, and what ever you may think, root kits by their very nature are written new daily and designed to have the operating system lie to the user and detection software.

If you do not want root kits installed, don’t run the bloody operating system with admin rights.

Did you need admin rights to listen to Sonys Cds, not at all…however becuase the land of users, spelt with a silent L wants to be able to load software and do what they want, without really having much of a clue as to what is really going on, root kits, back doors and viruses will always find a home.

Don’t want your machine infected, don’t run with admin rights.

Take a look at a program called Morphine sometime…it takes existing viruses and re encodes them so NO anti virus scanner will detect it…..it is a scary world in the world of hackers….and it is only going to get worse.

If you really are a CEO of IT Global secure, then why does a security company not follow basic admin principles….why would you allow users to run with rights to be able to change regisrty settings, disable security programs and rewrite kernal modules.

Sony actually did the IT world a favour and put root kits into the spot light…but don’t expect the security companys to make up for your failings as an Admin

Too damn slow.

In reply to Little if any inderstanding

Security companies may only *react* to threats, but how long do they need?

This little trick was thrust upon us all months ago and it was only due to the talents of one researcher, we were all alerted to the problem.

Security companies are selling protection; where is the protection here?

Further, whilst your notion of not running with admin rights is unarguably sound, we are talking about a lot of home users, who pop a CD into their machine and run it. Most don’t even know what admin means! Take it away, and they can’t load software and all hell breaks loose. They think their computer is broken! How do you propose to overcome that?

You are looking at the problem as a professional, administrating a company network and there is little against your contribution. But in the main, it’s not companies affected by this – at least, not those with a good policy and admin staff 😉

foolish users then?

In reply to Too damn slow.

This is all valid, users should be more aware of security and the benefits of running as a non-privelgded user and admins should not allow corporate users to alter the registry… all good,

BUT, the real world doesnt require a driving license for computers or compulsory training… (although maybe there should be), and users should be able to trust Sony not to shaft them witha rootkit and they should be able to trust that their firewalls and anti-virus software will not allow this kind of thing.

That is the reason there is so much action in the world of hacking and on-line crime… it is well known that most users havent got the basic knowledge to protect themselves, and therefore they will be taken advantage of.

I would like to point out that i have not got any sony or other root-kit on my machine. This is down to having the sense to ditch an OS that really does not know what security is.

blacklight

In reply to foolish users then?

F-prot have a beta version of a program available that scans for rootkits called blacklight.

Don’t Attack End-Users…

In reply to foolish users then?

lastchip is 100% correct when he states that “Most don’t even know what admin means!” Most of you are looking at this from the wrong perspective. We are all IT professionals (I assume) and we are assuming that everyone with a computer knows what they are doing.

The problem is that Sony knew what they were doing when they created this rootkit and probably researched every component of all the different operating systems, otherwise they would not have taken such a risk.

Keep in mind that if it wasn’t for end-users, including both home or corporate, we would not have jobs. An end-user would not call us for assistance if they knew what they were doing. So whether they are working with Admin rights or not does not really matter.

I say do your jobs as best as you can and make sure that your corporate network does not get infested, or be happy that home end-users are calling you to clean up their computers and paying you.

Leave that to Sony

In reply to Don’t Attack End-Users…

“Keep in mind that if it wasn’t for end-users, including both home or corporate, we would not have jobs.”

I, for one, would have simply learned another skill, just as I learned IT: according to demand.

“An end-user would not call us for assistance if they knew what they were doing.”

That’s true, but does not in any way imply that your next sentence is true: “So whether they are working with Admin rights or not does not really matter.”

Placement of the word “So” indicates that you assert a cause-effect relationship, which I challenge you to prove.

Why is anyone surprised at Sony?

In reply to Leave that to Sony

“I, for one, would have simply learned another skill, just as I learned IT: according to demand.”

But you didn’t learn another skill. You work in IT and (I’m assuming) you like it. Even if you learn a new skill it’s the same thing; someone needs your help with something that they are not an “expert” at doing.

“Placement of the word “So” indicates that you assert a cause-effect relationship, which I challenge you to prove.”

My point is that, in this case, Microsoft keeps attempting to make home end-users more comfortable with the operating systems, and up to this point the easiest thing to do is allow the user who does not know anything to work without frustration. Obviously, this leads to other issues, but like I previously stated, that’s were we coming in.

There is no such thing as a perfect anything in this world and I honestly think that we, as hard working individuals, should discuss it, fix it, enjoy it, move on, and wait for the next issue.

Completely Agree

In reply to Why is anyone surprised at Sony?

I’m both an experienced IT expert and an end-user. I shouldn’t have to run my home PC without Admin rights. I take as much precaution as I can afford to prevent malicious people exploiting my PC. I don’t expect a multi-million dollar/pound/yen company leaving rootkits on my PC that will allow spyware or malware on my PC. If they were up-front about their rootkit, i.e. a *BIG* warning on the cover of the CD case explaining that by playing a CD that you just paid ?15 for on your PC you could expose both yourself and your PC to abuse – I’m sure no-one would buy their stuff!

Amen

In reply to Too damn slow.

Each of us accepts the responsibility for our actions. We try to convince ourselves that we are techs and are therefore above the common users, when in fact we are all humans and can be fooled. If we take the correct measures on our own machines and the machines we take responsibility for, then we feel that all is good in the world. The wolves are out there and its time we stopped acting like a bunch of blind sheep!

Running as admin.

In reply to Too damn slow.

The majority of home and SMEs run on admin because it is just too difficult for them to run as a user and then find that many things don’t work.
What would be nice is a revamp of the old 1988 Flushot, (It warned user if command.com was altered.) that would lock the registry and keep a backup of it for restoring, and lock the program files folder.
I use Frisks fp-win and when I run the ONDemand scan, it finds all the nasty stuff, keyloggers, rootkits, winnuke, BO2k, kkill, etc EVEN WHEN they are stored as zip files with a password.
I keep them in a normal ntfs folder for use, if required.
It even finds some nasty Linux sw that are kept as tar.gz… stored in a fat32 /download file.
It always, of course finds eicar.vom and netcat.
Its the small firms with 2 to 10 PCs that have the most trouble as they lack the skills to run the systems. The limit of their IT is often the European Computer Driving Licence, and those are the knowledgable ones. I remember at one meeting finding that the term “Firewall” was unknown to most. Some don’t even update their anti-virus.

Just an aside…

In reply to Running as admin.

The European Computer Driver’s License is called the Internet and Computing Core Certification (IC3) in the United States. This is the most under-used and under-rated certification, in my opinion. Note that this is a USER certification, not a TECHNICIAN certification (like A+).

installing sw

In reply to Too damn slow.

so if you take away installing software, ‘all hell breaks loose’.

I’d suggest all hell is likely to break loose once your PCs are loaded with programs that conflict (salesperson here installed new vsn office by herself), and rootkits, spyware, and unknown to your company (often unlicensed) copies of myriad other software

Re-read my post.

In reply to installing sw

You are referring to a commercial environment. My post referred to a home user. There is a world of difference. The two in my opinion cannot be compared.

I also said, if you have a good policy and admin, you’re unlikely to be affected anyway.

there are always exceptions…

In reply to Re-read my post.

There are always exceptions to the rules..

Policies that are not strictly enforced by higher management, “special” users, laptops … all of these have potential to be damaging inside an office environment and in some, the IT Staff just has to grin and bare it. 😉

I was paid very very well to come in and help clean up a corporate network from Nimda/Code Red … all it took was one user not to read the policy and poof everything was spreading.

Point taken.

In reply to there are always exceptions…

But if management are not enforcing policy properly, they only have themselves to blame when things go pear shaped – don’t blame IT, we told you so!!

A well written policy will allow for the deviations you mentioned, but hopefully, those with the “higher” privileges, will be aware of the damage they can potentially do and therefore act accordingly. If that is not the case, one has to ask if these users really should have that amount of freedom in a corporate environment.

As regards reading policy, it is my belief that all new employees, should have it spelt out to them during their induction period and *before* they are ever allowed access to a company computer. Relying on people to read the company policy, is akin to asking an eight year old to read the EULA before loading the latest game. It just does not happen.

I know …

In reply to Point taken.

I know… and our policy they have to sign.. we narrowed it down to a single page of don’ts …. but of course they don’t remember them..

and as for a few of the ones that have higher privs …. several are owners …

An example… we send an email telling all employes a new virus is spreading, some may already have it in the box.. etc etc..

if it looks suspicious don’t open it, if its unexpected, don’t open it..

not more than 30 minutes later after a read receipt for an owner & manager comes in.. the email comes.. I got this file from a previous employee and friend, I tried to open it but it didn’t do anything .. the email didn’t even make sense, can you figure this out for me?

at that point they had to put the straigh jacket on me before I went out to roll the jeep over the person 50 or 60 times..

Sad to say, but…

In reply to Little if any inderstanding

what you are saying is a sad fact of modern computing. For every “convenience feature” there is an equal attack. So all of these features must be turned off. Computers shouldn’t be run in admin rights. Its too dangerous.

Everyone blames the companies (especially Bill and friends) but the real problem is us (as in human beings, not in computer specialists). We keep believing the myth that computers are appliances and are easily accessable by the masses. They are not. Computers are not appliances that can be easily manipulated by anyone. Its an advanced skill set with some complicated subtasks.

The “personal computing revolution” was based on a premise that is totally violated today. A “personal computer” was designed to be a stand alone, never connected to a network entity. That is why its called a personal computer! As soon as it is attached to a network (to include the internet) it becomes a networked computer and all the rules are changed. We keep changing the rules for our convenience, and we have created the monster.

DOS/Windows varieties were not originally meant to be used on networks. They are 100% invulnerable as long as they are connected to nothing else! And that was the plan, I think. Ease of installation is a good thing on a stand alone machine. On a network, its a nightmare. Admin rights on DOS/Win 3.1/95/98/ME etc is unnecessary because it was meant to be stand alone. All the networking stuff is added on later.

Just my take on this. I don’t know if you’ve ever read the essay “It All Began With the Command Line” but that author addresses this problem (and he addressed it around 10 years ago too!).

Well said, Rightly said

In reply to Sad to say, but…

I cannot think of a more timely or astute observation on this site. Your post should be framed and on the wall in every single help desk, and IT Center on the planet.

Just because you can do something, does not mean tha tyou should do something.

Unplugged not entirely safe

In reply to Sad to say, but…

Virus protection was around before the internet became ubiquitous. A disconnected machine can be compromised. They came on real floppy floppies.

In the “old” days they were plain malicious nasties, since they could not communicate all a virus could do was screw things up. Now they try to send your credit card number to Romania. Do you remember tweaking memory to make sure you had enough to run some piggy software??

The problems are different and probably more numerous now. We are asking computers to do much more now as well.

Precisely why a company like Sony should be SMACKED hard for adding another. This thing would never have stopped ardent rippers.

YES Norton, McAfee … should be questioned in their failure to respond.

Evolution

In reply to Sad to say, but…

The Personal Computer was a personal computer because in the
beginning, there was no network and no one to talk to. The need
to share information evolved early on because running back and
forth with floppies was painful, even in one office.

Now we have a highly evolved situation where information
sharing is possible, easy and, in fact, essential.

Corporate admins have a thankless and difficult job. Service
providers could do a lot to filter out the garbage closer to the
source. But the real culprits are the OS developers, particularly
Microsoft, who are more bent on adding near-useless features
(but 250 of them at a time!) than they are on providing a secure
computing environment.

If administrators can create reasonably secure environments
despite the flaws in the OS, then just imagine how much easier
life would be if the OS developers eliminated the holes at the
beginning.

The telecommunications industry lives on Unix. So do a lot of
government installations. They are running in secure
environments. I’m not recommending Unix for the masses, but it
demonstrates that it can be done. And the Mac OS demonstrates
that a friendly face can be put on top of Unix.

Good point, but not realistic

In reply to Little if any inderstanding

Having users logged in as just that, users, is a great idea. Too bad in most of the real world that isn’t likely to happen. If you work in the IT department of any firm, you answer to those at the top of the firm — and until those at the top of the firm are themselves willing to have their systems rights restricted, they’re not going to allow themselves to be locked down. Getting them down to Power User level is a real battle, but at least at that level the administrative shares are not available to them. In most cases it seems to take the firm getting hit with something nasty before those who can make such decisions give the go-ahead for a lock-down. Sad, but true.

Admin Rights not the answer…

In reply to Little if any inderstanding

My daughters have PCs of their own. I had read about running with Admin rights, and the dangers. So I restricted them to be “users”. This was a bit of a pain sometimes when the latest game patches had to be installed, but it was all in the name of security – or so I thought.

Then one day my oldest starts complaining that her machine is running “really slow”, and that certain things are not working properly any more.

The hair was up on the back of my neck, so I told her not to use it until I gave her the AOK.

Her machine was peppered with viruses! It took me 3 days to get rid of all the security threats that had infacted her machine. And that machine was completely clean when I gave it to her – so every one of these little nasties managed to get in and get installed WITHOUT ADMIN RIGHTS!

I still think running without admin rights is a good idea, but I liken it to wearing a condom… It gives you a false sense of security while you are being screwed.

Reply To: Not Just Sony to Blame – Security Companies’ Catastrophic Failure

In reply to Admin Rights not the answer…

I’ve experienced the same thing in the corporate environment, where we have more protection. Many or even most of the exploits cleverly circumvent any requirement for administrative privileges, while much legitimate software requires it. Making users non-admins of the local machine great hampers the user, but only minimally (if at all) hampers the great majority of exploits.

Reply To: Not Just Sony to Blame – Security Companies’ Catastrophic Failure

In reply to Little if any inderstanding

You’ve got to be kidding, graeme@…, this is a very important question — why did none of the major security companies not alert their *paying* customers to this problem? You’re like the person who says that a raped women should not have gone out to her car, that she was just asking for trouble. It’s the rapist who is the criminal and needs to be stopped.

Ok NO Admin – Then what

In reply to Little if any inderstanding

So you set a system up so NOTHING can be installed without notice and seven double dares.

The typical home user would look at the Sony brand (a bunch of them have Sony computers), the message that tells them they need to use the Sony software to play the CD you will even be able to copy it to your computer with Sony software… and install it without thinking any further. No mention that the software will attempt to interfere with other software you may already have on your system, or phone home. I’m sure it’s in the EULA on page 26 in latin.

This is unacceptable behavior on the part of SONY, they are hiding behind the EULA not responsible for anything under any circumstances. All in an attempt to stop people that don’t know how to burn a cd from burning a cd. It’s just plain STUPID on Sony’s part.

The sad part is that Sony is not going to be hit hard enough to change their attitude. I used to wonder why Beta lost out to VHS.

Software design

In reply to Little if any inderstanding

Several common accounting programs REQUIRE the user to be an admin on the local machine. In discussion, they can’t see anything wrong with that, claiming that their databases are bulletproof. That may be but leaves the machine wide open otherwise

Well you are right when it come to IT. But…

In reply to Little if any inderstanding

If you talk about normal consumer that put a CD in their computer at home to listen the music and from a well know and trustable corporation as SONY “was” yes they were right to install it. Did Sony put a warning that said if you install me you will install a rootkit that program will not uninstall and will not be detectable by scanning and furthermore if you do not agree to the installation the file will be copied to the HD but not activated? Furthermore we SONY will remove access totaly to your CD burner if you attempt to remove the software by using or not using the ADD/Remove feature from Microsoft.

They were installing their software (home consumer)with the intention to listen the music you can’t blame a normal consumer to have trusted SONY to not mess their computer, when I read their warning they only state that you need it to make 3 legal copy of the CD and to be able to listen it on your PC otherwise there were safe with it.

SONY used the worst kind of deceptive activity they could have imagine and it rival with social enginering I for once would have never tough that it is more safe to download illegal music then install a legitimate commercial CD do you see the irony here?

For me SONY should paid a lot and I mean a lot because money talk and when you hurt the wallet it is the only language that it is univeral now 🙂 with multi-national corporation.

root kit fix

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

The software “ANY DVD” made by Slysoft will block the root kit bug. Robert

takes one to know one

In reply to root kit fix

That’s well and good, but to be honest, most folks running AnyDVD are using it for purposes that are quasi-legal at best. (Not arguing we shouldn’t have the right to do what the program does, but the current legal environment makes this a questionable practice). It is basically a hacker tool. (See, not all hackers are evil people. Evil depends on your point of view.)
The point is the First4 DRM software(which AnyDVD circumvents) took actions that any decent security progam should not have allowed. The average user buys these programs because they DON’T understand all this security stuff but want to be secure. They rely on this software to protect them, yet this threat went undetected (or unannounced more likely) for months. That’s not acceptable performance for a security software, regardless of how stupid the user is.

Re: AnyDVD

In reply to takes one to know one

People abusing AnyDVD’s capabilities isn’t even relevent.

Manufactures of video cards have forced me to use that program. I use my computer with the TV outputs to watch DVDs on my TV. Manufactures are honoring Macrovision security on the TV output of video cards ASSUMING people MUST be using that RCA output to copy the DVD. Yea right I’m going to take a digital signal convert it to an analog signal and then make my copy. That’s just stupid.

But just to be able to watch my DVD on my TV (isn’t that what we’re supposed to do?) I had to spend more money on a program that gave me back this basic right. Now back to the point of people abusing AnyDVDs capabilities not even being relevent.

Does anyone assume that people buy a hammer to go smashing peoples heads in? It been done you know. How about making it that pens couldn’t right on checks because we MUST assume they are writing forged checks. But we could also make keys that wouldn’t open doors because they could be copied.

Allow people thier basic rights and prosecute criminals.

Norton AV Found the Sony Rootkit

In reply to root kit fix

MY NAV found and disabled the Sony rootkit on my PC.

Just FYI.

Not quite…

In reply to Norton AV Found the Sony Rootkit

It disabled the cloaking features of the rootkit, but it didn’t disable all the spyware phone-home crap that the rootkit was meant to hide. Sony still knows every time you play that CD, among other things.
NAV can disable the rootkit, but thanks to the wonderful piece of legislation called the DMCA, it’s illegal to remove the Sony spyware from a computer.

Lovely, isn’t it?

Lovely, but not suprising-UGH!

In reply to Not quite…

You, of course are correct, but at least NAV caught it. And, BTW, it was the day prior to all this Hitting-the-fan, so for a day or so, I was baffled as to where it came from.

… not really satisfying to find it came from a CD!!!… but it did answer my curiosity as to the source…

The more I think about it the more upset I get, how can a company like SONY be sooooooooooooo dumb, sheeeesh!!!

Microsoft AntiSpyware Beta 1

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

Oddly enough Microsoft’s AntiSpyware Beta 1 detects and removes the Sony rootkit developed by First4Interent. I saw it with my own eyes!

naturally!

In reply to Microsoft AntiSpyware Beta 1

Do you think it is a coincidence that a Microsoft product (MS being a competitor to Sony in DRM) detects and removes this? But the $64,000 question is when did AntiSpyware first start detecting and removing it? A lot of security software has started detecting since this story has become big news. What about a month ago before anyone had heard of this issue?

The Burden of Security

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

The obligation needs to be on the of software and systems to provide a basic expectation of security… not the individual users. When I buy a car, I am not assumed to be an mechanic who will check out and understand the engine, cylinders, … that is what I am paying for. When I buy a service contract for my furnace, I expect it to work and be promptly repaired, not to have to analyze the problem in detail myself.

Apparently, even Macintosh was somewhat vulnerable to this product/attack. It provided a pop-up… but did that stop most people from saying “Yes”? Remember, this problem has been out for months and months.

If we expect everyone using computers to be a security expert… then we should find new jobs or write better “IT Security for Dummies” books… because we are not providing much value otherwise.

Even though I have been in the industry for nearly 20 years, I want to spend my time working on new problems that I might get paid for. Not endlessly tweeking and monitoring my registry settings by hand.

Security doesn’t have to be invisible, but it should be straightforward to do reasonably properly with a minimum of effort.

Well-behaved operating system

In reply to The Burden of Security

I pretty much agree with secureplay. The operating system
should not allow software to be installed without announcing
that it is occurring. It should provide a simple warning that
software is being installed. In turn, the installer should provide a
simple, declarative description of what is being installed, along
with a list of items. The OS warning should advise the user NOT
to install software that doesn’t clearly describe what is being
installed.

In the case of major apps like Office, you’re not going to list
every component, but you should list the individual applications
and any major add-ons. Acrobat Reader lists add-ons such as
the Yahoo search bar and gives you the option to refuse it.
That’s the way it should work.

Instead, vendors drop crap all over your system, AOL being a
prime example and Microsoft being equally guilty. They don’t
provide you with an installation menu, they just take over your
system. Then you either live with their crap or get a post-
doctoral education on how to remove it safely.

You buy most products, like cars, with the intention of turning
them on, using them, and turning them off. A car is complicated
enough to operate that you need some lessons and a license
because, misused, it can be lethal. But you’re not expected to
learn the mechanics of internal combustion engines, fuel
injectors or the electronics that underlie a modern car’s
operation.

There is no other industry like the computing industry.
Somehow, people have been conditioned to accept operating
systems, Windows being notorious in this respect, that are just
plain defective. Not only are they defective out of the box, they
are preset to offer “conveniences” (try admin privileges for size)
that supposedly simplify and “enhance” your experience while at
the same time exposing you to invasion of privacy and
deprivation of the use of that for which you paid!

I agree

In reply to The Burden of Security

I agree. I’m mostly self-taught about computers. I’ve gone through a lot of Dummies and Idiots books. I’ve taken a few classes here and there. I try to keep up on what is going on. I’ve read some hacker books and have been experimented with various Linux distributions. I have not taken any programming languages except a basic HTML class. So I still don’t exactly understand how crackers, spammers, spies, or whoever, are able to put stuff on my PC without my knowledge or authorization.

I use Norton and Spy Sweeper to try to keep the nasty invaders out. But I still come up with stuff from time to time. In fact, I had to reinstall Windows XP onetime and foolishly tried to do the Windows update before I installed my antivirus. I ended up with some many demons, apparently lurking at the Microsoft update site, that I had to uninstall and reinstall.

To me this is a crappy way to run a railroad. It seems like ISP providers could filter this crap out someway.

I would appreciate any helpful suggestions on my comments.

Somewhat belated reply

In reply to I agree

I agree that ISP providers could do a better job of screening the
crap, but they operate under several handicaps. They can’t
control what “legitimate” sources transfer to your system, so if
Windows Update is going to mess up something on your system,
your ISP can’t be responsible. Also, ISPs operate under legal
limitations, e.g., they aren’t free to violate the First Amendment
and screen out everything they might like to. What you judge
offensive and what they judge offensive might differ.

The place to block intrusions is at the source: the operating
system and application vendors CAN and SHOULD rank the
security and integrity of their customers’ systems higher than
“featuritis” where they feel compelled to fix 5 bugs, 15 security
holes and add 38 useless features every time you turn around.

You still have some responsibilities as a user, but that should be
limited for the most part to not acting stupid.

User Abuse

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

Try replacing the word USER with the word Customer.

Customer’s are looking for turnkey solutions. The PC is presented as a solution; not as an evolving problem (my view).

If security had been designed so that “Everything not specifically permitted is denied.” their sales would have taken longer to get going.

I Cant Agree with that

In reply to User Abuse

I cannot agree that the PC os a solution and not an evolving problem. The PC will ALWAYS be an evolving problem, That is why we have Jobs as said before. New hardware dictates new software, new software guarentees new bug/security holes, etc. New bugs /security holes, etc gurentees that the hacking community will find a way to expoit it. You should never think of the PC as the solution, it is only a dumb tool that can only do what it is told to do by a person or a piece of software written by a person. Just my 2 cents worth.

I feel so used

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

This is a very interresting question. Now that you mention it. it does seem at this stage of computer (in)security we are all in the end vulnerable to the virus/worm/rootkit writers of the world. And there isn’t a dam* thing we can do about it. Who knows is the security suite companies stoped some instances of this rootkit(if they did they didn’t mention it.)
But this conclusively proves that the security people are always at least one step behind in protecting me. And only because of the diligence of a few investigative independent ‘puter users was this even brought to light. I look at it like this, who do you blame the viscious dog, the dog owner who bred him or the dog catcher who was supposed to protect me. I blame all three. The code writer, Sony AND my “Security Suite” people.

I feel betrayed…

In reply to I feel so used

“But this conclusively proves that the security people are always at least one step behind in protecting me.”

Maybe, just maybe, the security firms have another reason to be one step behind; financial! There are Company’s that will overlook or build in faults just to help justify the kick-backs that come their way. Security Company people are human, too.

What security?

In reply to I feel betrayed…

Who is securing us against the Security Companies?

Whos guarding

In reply to What security?

Whos guarding the guards? Either its the blackhats or more whitehats laughing at the unsuccessfull or downright stupid attempts at securing anything.

In other words: Ridicule is a marvelous motivator to security pros.

– beads

Forget software, go hardware-based!!!

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

These so-called “security” software companies out there with their software solutions will continue to be behind the power-curve from the elite hackers/crackers out there. They will continue to increase the gap as IT systems will become much more complex in the next few years.

The only “ground-zero” solution which I have experimented with so far with excellent results is a hardware-based packet scanning and IDS system that can be placed on the main internet backbone.
Right now, these systems are cost-prohibitive but eventually I see them as a standard for every PC and server.

Stop the problem at the “root” of the source not afterwards!

running for cover

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

work for a huge aerospace corporation…just got an email from the corporate watch dog…no sony produced cd’s allowed on the network…maybe this is the exposure we’ve been hoping for…

I believe Panda Software did?

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

I understand that Panda’s Antivirus picked this up and if not the new TruPrevent technologies would have handled it…..

Have to check

In reply to I believe Panda Software did?

The only AV that I can think of that actively does real work on rootkits, that I am directly aware, is F-Prot.

Not that Panda isn’t capable but I haven’t read enough from Panda to say: Yeah or Nay.

I would be interested though. The “Big 3” AVs in the market, Symantec, McAfee and TrendMicro seem to be asleep at the wheel with this one. Obviously, this will, most likely, become the biggest security headache of 2006. Rootkits could make spyware look like a passing fad in comparison.

Gonna have to check the Wilders board as well to see if T3, etc. has any word on who did and didn’t detect this thing.

Wish me luck!

– beads

Norman SandBox

In reply to Have to check

Norman SandBox with early detection of security risk created by DRM protected Sony BMG Entertainment CDs
While antivirus companies are working hard to release an update to identify this malicious code that uses the rootkit automatically installed by some Sony CDs, Norman?s proactive antivirus solution, Norman Sandbox, already detected this software, classified as a potential security risk.
Check http://www.norman.com/en-us

The Real Blame? Its Microsoft’s fault!

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

You want to lay blame on someone for real?

Microsoft!

They created “Autoplay” .. but only created an ON or OFF reaction to it. Not guarded or secured in any way, like it should be!

example: new cd gets placed in drive
Microsoft prompt -> New CD -> Autoplay? Open or Nothing?

They in some way do this NOW with XP … but it still isn’t like it should be..

notice I said NEW cd .. what about tracking CD’s I’ve already put into the system and keeping track of my actions on those.. and again.. allowing me to do the same as before, or set a new action for this cd and its subsequent insertions?

And for that matter.. the security of just RUNNING a cd in the first place, because ANY idiot could walk up to a machine in the computer store and start inserting disks.. so what happens when the default allows this?

Microsoft should not have put Autoplay into production as it was, because it is NOT secure in ANY of its current forms.

It is SLIGHTLY more secure in Windows XP .. but their feature is still a valid threat as we’ve already seen.

For those of us that want the protection of asking what we want to do, we should be able to have it default to our last action, and NOT with a “set this as default action” box checked..

NB

In reply to The Real Blame? Its Microsoft’s fault!

note that this is a Microsoft-only problem, is it not?

Shut it OFF

In reply to The Real Blame? Its Microsoft’s fault!

A lot of us disagree with many of Microsoft’s “default” actions in any given MS OS, but anybody who has used ANY MS system in the last 8 years or so (and who therefore hopefully has at least basic computer chops) knows to kill “Autoplay” 8 o’clock, day one.

I agree with most of what has already been said here, but users have to also take SOME responsibility for this.
What I wanna know is: Who in their right mind would buy a copy protected CD in the first place??? Amazon clearly labels them as such.
We all need to vote with our pocketbooks if we want to keep things such as this from even getting to our machines in the first place. Copy protected audio media? No thanks, I’ll pass.

unfortunately

In reply to Shut it OFF

Most users are not quite like us: they buy the band whose name is up in lights without really paying attention to issues with copy protection. Maybe things will change, as harmful DRM like this gets more negative press, but I’m not going to bet my lunch money on it.

You can’t stop what you use.

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

It almost sounds like they don’t want to detect software they have bundled in their own products as an attacker.

That would mean they would have to come clean about how they have been using it for a while now.

Control of the Internet AND computers

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

All this schmutz will come to a head when the Internet and computer usage will be controlled to the point that the Internet and computers will be no longer available to the public for fear of abuse.

-swg;D

Scotch tape

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

LOL!!!! Way too funny!!! You can get around installing Sony’s stealth software with scotch tape!!

http://informationweek.com/story/showArticle.jhtml?articleID=174400748

Re: Scotch tape

In reply to Scotch tape

That’s absolutely beautiful.

I wonder how much money Sony spent on research and development? I’ll bet it cost a lot more than a roll of tape. You would have thought they would have learned thier lesson with the last fiasco with the DRM defeated with a black marker within days after the first cd was released.

Now how much money are they going to loose in market share and legal fees? Oh boy did they blow it!

Sony wants your comments

In reply to Scotch tape

I think everyone should fill out the sony feedback page Daily for the next 90 days.
I think that everyone should alse send a complaining eMail to every sony email address you can find, daily for the next 90 days.
should raise a stink.

the following is a link to Sony Music Feedback page
http://www.sonymusic.net/sony/feedback.cgi

AND
here are som sony email addresses.
General Comments: SonyMusicOnline@sonymusic.com
Website Technical Problem: SonyMusicOnline@sonymusic.com
Columbia Records: feedback@columbiarecords.com
Epic Records: feedback@epicrecords.com
Legacy Recordings: LegacyOnline@sonymusic.com
Sony Music Nashville: SonyMusicOnline@sonymusic.com
Sony Classical: feedback@sonyclassical.com
Sony Wonder: SonyWonder@sonymusic.com
Sony Music Store: SMFCustomer_Services@sonymusic.com
Sony Music Custom Marketing: smsp@sonymusic.com

What about ISP’s?

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

Why don’t the ISP’s speak out and filter some of this stuff that goes thru their servers?
Someone is making money on all of this.Collusion,I don’t know but certainly someone is getting PAID OFF.

DRM is EVIL ….

In reply to Not Just Sony to Blame – Security Companies’ Catastrophic Failure

Digital Millennium Copyright Act (DMCA) is ?ROOT? of this DRM EVIL!!!

http://www.theregister.co.uk/2005/11/27/dmca_takedown_regs_abused/

Boycott not ONLY Sony, but ALSO their Subsidiaries AND ANY other company that uses such tactics!!!

http://www.technewsworld.com/story/CY2jp1KR4m82Ms/Rooting-Out-Spyware-Sonys-Lesson.xhtml

Sony?s other ?Labels? are listed here:

http://www.sonymusic.com/labels/index.html

http://www.theregister.co.uk/2005/11/30/sony_drm_spitzer/

http://www.boycottsony.us

Evidently EMI is in on this, too:

According to this article: http://www.ecommercetimes.com/story/47497.html

?EMI has been releasing select albums — including the latest Nickelback album, “All The Right Reasons” – this way for about three years. The company intends to ship out all its releases with the technology by year’s end.?

http://www.emimusic.info/us_EN/

?Terry Millar, director of manufacturing at EMI Canada? thinks that ?other labels, like Universal and Warner, will eventually follow with similar technology.? Do YOU think they already MAY have? 😉

 THIS is MY example of why a total boycott of Sony, et al should promptly ensue:

I have “Live in San Fan Francisco” by Joe Satriani…an EPIC DVD. EPIC is on Sony?s Label List and Joe Satriani is on Sony’s Artist List.

I tried to copy just the AUDIO part of “Bass Solo” by Stewart Hamm on Disc 2 of the two disc set so I could play it in my car CD player. After that my computer would NOT play THAT track at ALL!!!!! And the Bass Solo didn?t even copy, either. 

In addition to which, I did this about TWO YEARS ago!!! Ever since then I’ve had BIG problems with THAT computer. It FRIED the hard drive which was, at the time, ONLY a few months old!!!

Suspicious??? NOW that Five Year Old DRM is causing all kinds of problems??? You BET it IS!!!!! 😉

The good news is ?EFF Files Class Action Suit Against Sony-BMG?

http://www.slyck.com/news.php?story=1003

Media Max Software

In reply to DRM is EVIL ….

I see that sony is creating more uncertainty with it’s software approach.According to an article on the bbc technology page,anyone putting a music CD bearing the MediaMax software in their PC introduced a vulnerability that malicious hackers could hijack to win control of a machine.Read the article at this link:

http://news.bbc.co.uk/1/hi/technology/4511042.stm

[Author]

Replies