Bruce Schneier kindly analyzes the Sony DRM disaster
In this excellent piece in Wired, Bruce Schneier, well-known security sage, discusses how much of a PR, technical, and marketing disaster the Sony copy-protected CD fiasco has been. I haven't revisited this story for a few days, but I have been noticing that even the Department of Homeland Security is now involved. and that criminal prosecution is now possible (but not likely) under the cybercrime act. As Bruce notes:
As he notes, even Microsoft resisted detecting and removing the rootkit until forced to by public opinion. Why? Because Microsoft wants to work with media companies to become the media distribution channel of choice, and it is willing to put its business interests ahead of its customers.
The bottom line: businesses and consumers need security, but it now appears that they cannot trust 1) Sony, 2) security companies, or 3) Microsoft to give it to them. And with Sarbanes Oxley breathing down their necks and making CEOs personally responsible for the authority and security of their financials, it's only a matter of time before some large Fortune 500 firm CEO says, "Enough is enough; call Steve Jobs and see what kind of deal we can get on 50,000 Apple computers." It's going to happen; the only question is when.
More than half a million networks, including military and government sites, were likely infected by copy-restriction software distributed by Sony on a handful of its CDs, according to a statistical analysis of domain servers conducted by a well-respected security researcher and confirmed by independent experts Tuesday.
If this were a 16-year-old kid doing this, he'd be doing the perp walk down to his local courthouse, but since it is Sony, this ethics-free behavior is just marketing and damage control. And as Bruce points out, the blame doesn't stop with Sony. Almost none of the so-called security companies have done anything about this serious security breech:
McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device. The company admits on its web page that this is a lousy compromise. "McAfee detects, removes and prevents reinstallation of XCP." That's the cloaking code. "Please note that removal will not impair the copyright-protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP." Thanks for the warning.
Symantec's response to the rootkit has, to put it kindly, evolved. At first the company didn't consider XCP malware at all. It wasn't until Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 15, it is still wishy-washy about it, explaining that "this rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software."
As he notes, even Microsoft resisted detecting and removing the rootkit until forced to by public opinion. Why? Because Microsoft wants to work with media companies to become the media distribution channel of choice, and it is willing to put its business interests ahead of its customers.
The bottom line: businesses and consumers need security, but it now appears that they cannot trust 1) Sony, 2) security companies, or 3) Microsoft to give it to them. And with Sarbanes Oxley breathing down their necks and making CEOs personally responsible for the authority and security of their financials, it's only a matter of time before some large Fortune 500 firm CEO says, "Enough is enough; call Steve Jobs and see what kind of deal we can get on 50,000 Apple computers." It's going to happen; the only question is when.
Technorati Tags: Apple, Communications, DRM, Marketing, Microsoft, Music, Sony, Security, Steve Jobs
posted by Carl Howe at
6:37 PM
| View blog reactions
| 
