Sony BMG Rootkit Scandal: 10 Years Later

Object lessons from infamous 2005 Sony BMG rootkit security/privacy incident are many -- and Sony's still paying a price for its ham-handed DRM overreach today.

1 2 Page 2
Page 2 of 2

is, so why should they care about it?" went the infamous quote from Thomas Hesse, then president of Sony BMG's Global Digital Business. The company recalled products, issued and re-issued rootkit removal tools, and settled lawsuits with a number of states, the Federal Trade Commission and the Electronic Frontier Foundation.

Microsoft and security vendors were also chastised for their relative silence and slow response regarding the rootkit and malware threat. In later years, debate emerged over how the term “rootkit” should be defined, and whether intent to maliciously seize control of a user’s system should be at the heart of it.

BACK TO THE FUTURE

In looking back at the incident now, the question arises about how such a privacy and security affront would be handled these days by everyone from the government to customers to vendors.

“In theory, the Federal Trade Commission would have more authority to go after [Sony BMG] since the FTC’s use of its section 5 power has been upheld by the courts,” says Scott Bradner, University Technology Security Officer at Harvard. “The FTC could easily see the installation of an undisclosed rootlet as fitting its definition of unfair competitive practices.”

Bill Bonney, principal consulting analyst with new research and consulting firm TechVision Research, says he can’t speak to how the law might protect consumers from a modern day Sony BMG rootkit, but “with the backlash we have seen for all types of non-transparent ways (spying, exploiting, etc.) companies are dealing with their customers, I think in the court of public opinion the response could be pretty substantial and, as happened recently with the EU acting (theoretically) because of [the NSA’s PRISM program], if the issue is egregious enough there could be legal or regulatory consequences. “

As for how customers might react today, we’ve all seen how quickly people turn to social media to take companies to task for any product or service shortcoming or any business shenanigans. Look no further than Lenovo, which earlier this year got a strong dose of negative customer reaction when it admittedly screwed up by pre-loading Superfish crapware onto laptops. That software injected product recommendations into search results and opened a serious security hole by interfering with SSL-encrypted Web traffic. 

In terms of how security vendors now fare at spotting malware or other unsavory software, Schneier says “There’s always been that tension, even now with stuff the NSA and FBI does, about how this stuff is classified. I think [the vendors] are getting better, but they’re still not perfect… It’s hard to know what they still let by.”

Noted tech activist Cory Doctorow, writing for Boing Boing earlier this month, explains that some vendors had their reasons for not exposing the Sony rootkit right away. “Russinovich was not the first researcher to discover the Sony Rootkit, just the first researcher to blow the whistle on it. The other researchers were advised by their lawyers that any report on the rootkit would violate section 1201 of the DMCA, a 1998 law that prohibits removing ‘copyright protection’ software. The gap between discovery and reporting gave the infection a long time to spread.”

Reasons for hope though include recent revelations by the likes of Malwarebytes, which warned users that a malicious variety of adware dubbed eFast was hijacking the Chrome browser and replacing it, by becoming the default browser associated with common file types like jpeg and html.

Schneier says it’s important that some of the more prominent security and anti-virus companies -- from Kaspersky in Russia to F-Secure in Finland to Symantec in the United States to Panda Security in Spain -- are spread across the globe given that shady software practices such as the spread of rootkits are now often the work of governments. 

“You have enough government diversity that if you have one company deliberately not finding something, then others will,” says Schneier, who wrote eloquently about the Sony BMG affair for Wired.com back in 2005

LESSONS LEARNED – OR NOT -- FROM SONY ROOTKIT

The non-profit Free Software Foundation Europe (FSFE) has been calling attention to the Sony BMG rootkit’s 10th anniversary, urging the masses to “Make some noise and write about this fiasco” involving DRM. The FSFE, seeing DRM as an anti-competitive practice, refers to the words behind the acronym as digital restriction management rather than the more common digital rights management.

screen shot 2015 10 28 at 12.29.05 pm FSFE

From Free Software Foundation Europe's Twitter stream

In a blog post on FSFE’s website, the group states: “Despite the fallout of Sony's rootkit experiment, 10 years later restrictions on users' personal property are more prevalent than ever. Restrictions are commonly found in legitimately purchased ebooks, video game hardware, and all manner of proprietary software. It has even found ways into our cars and coffee machines.”

Mikko Hypponen Mikko Hypponen

F-Secure Chief Research Officer Mikko Hypponen: "I guess one lesson here is that you really don't want to make yourself a target."

Even worse, as the recent scandal involving VW’s emissions test circumvention software shows, is that businesses are still using secret software to their advantage without necessarily caring about the broader implications.

The object lessons from the Sony BMG scandal are many, and might be of interest to those arguing to build encryption backdoors into products for legitimate purposes but that might be turned into exploitable vulnerabilities.

One basic lesson is that you shouldn’t mimic the bad behavior that you’re ostensibly standing against, as Sony BMG did         “in at least appearing to violate the licensing terms of the PC manufacturers” TechVision’s Bonney says.

And yes, there is a warning from the Sony BMG episode “not to weaponize your own products. You are inviting a response,” he says.

MORE: 2015 Tech Industry Graveyard

This story, "Sony BMG Rootkit Scandal: 10 Years Later" was originally published by Network World.

Related:

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
22 cybersecurity myths organizations need to stop believing in 2022