| Security |
| Sony: The Root of the Problem |
| by Cat Rambo |
|
Sony’s responses throughout the episode of the rootkit have been slow in a manner that suggests apathy. Thomas Hesse, President of Sony BMG’s global digital business division said in a November 4th interview on National Public Radio, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” Sony continues to maintain that the software posed no security risk, despite many reports to the contrary.
The restrictiveness of Sony’s EULA may point to one of the reasons why Sony felt it well within their rights to surreptitiously install software on users’ computers. The license agreement includes provisions forbidding export out of the country, meaning that users must delete the music from their machine before leaving the US, and a forfeiture of the user’s rights should they neglect to install updates as prescribed by Sony. The music cannot be be altered or used in any way, such as accompanying a slideshow or sampling it. If a CD is lost or stolen, the right to play the music it contained is lost as well.
Ironically enough, examination of the root kit indicates Sony’s feelings about digital rights don’t go both ways: the software contains pieces of code taken from LAME, an open source mp3-encoder, breaching that software’s license. The LAME license requires that a copyright notice be included and that the source code be made available to open-source libraries. Sony has complied with neither of these requirements.
The incident has also raised questions about manufacturers of anti-malware (also called “malicious software” and which is designed to harm or disrupt a computer system) software, who did not react to the presence of the rootkit until the storm of publicity hit, even though by then the software had been in existence for months and compromised hundreds of thousands of personal computers.
If your computer has been compromised, you may currently be out of luck. While Sony website features an uninstaller for XCP, the uninstaller contains its own security problems. Registering in order to use the uninstaller requires the use of Microsoft Internet Explorer as a browser and also involves reporting personal information which, Sony’s privacy policy reveals, may be used for promotions or provided to affiliates and non-Sony companies. Research by security experts Edward Felten and J. Alex Haldeman indicates that the ActiveX component installed as a result of using the uninstaller allows any website to run software on the user’s computer. After being used to uninstall the kit, the control remains active on the computer, leaving it vulnerable.
If you have CDs that feature XCP, Sony BMG provides a free UPS service for exchanging them. Details are available here.
|
|
