Sony warned early of rootkit dangers

Powered by SC Magazine
 

Bloggers’ latest question for the brass at Sony-BMG Entertainment has become, “Why didn’t the music giant act sooner?”

After Business Week magazine revealed that F-Secure had alerted Sony to the problem on Oct. 4 – weeks before the spyware-like device became a full-fledged media circus – Sony took no action on the application installed on its CD-Roms until mid-November when it pulled discs containing the program from stores.

F-Secure told the magazine that it had learned of the rootkit from John Guarino, a Manhattan computer technician.

Mark Russinovich, the Windows system expert who revealed the existence of the Sony rootkit in late October, said he still felt the company wasn't ating in the best interests of its customers in a recent posting.

"Two weeks ago, I declared victory in what the media is now referring to as the 'Sony rootkit debacle,' but I'm now wondering if I jumped the gun," he said on his blog. "It turns out that the CDs containing the XCP rootkit technology are still widely available, there's still no sign of an uninstaller and comments made recently by the president of the Recording Industry Association of America make it clear that the music industry is still missing the point."

Russinovich's disclosure preceded the appearance of trojans that took advantage of the First4Internet cloaking technology on Sony CDs. Bloggers also revealed that the uninstaller Sony had offered opened up other vulnerabilities on a PC.

An investigation by New York State Attorney General and Democratic gubernatorial candidate Elliot Spitzer revealed last week that CDs containing the spyware-like technology were still widely available in stores.

The state of Texas and the Electronic Frontier Foundation also filed suits against Sony on behalf of consumers, < href='http://www.scmagazine.com/us/news/article/530902/private-dc-suit-filed-against-sony/'>as did the firm Finkelstein, Thompson & Loughran on behalf of District of Columbia residents.

Ed Felten, a Princeton University computer science professor, asked on his "Freedom to Tinker" blog on Wednesday, "What did Sony-BMG know and when did it know it?"

"We have to consider the possibility that Sony and First4Internet understood the significance of the rootkit, but simply felt that copy protection trumped users' security," he said. "First4Internet held that view – otherwise it's hard to explain their design decision to deploy rootkit functionality – and Sony may well have held it too."

www.f-secure.com www.freedom-to-tinker.com www.sysinternals.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
Immigration breached Privacy Act with data leak
Pilgrim slams "copy and paste" of asylum seeker data.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 810

Vote