[Discussioni] come la Sony, e chissa` quanti altri, spiano i nostri computer

[Francesco Potorti`]

Questo articolo contiene un rapido riassunto della storiaccia dei CD
della Sony, e una serie di interessanti conclusioni, su cui mi
piacerebbe discutere riguardo al software libero. Di Bruce Schneier.

================
Sony's DRM Rootkit: The Real Story


It's a David and Goliath story of the tech blogs defeating a
mega-corporation.

On Oct. 31, Mark Russinovich broke the story in his blog: Sony BMG
Music Entertainment distributed a copy-protection scheme with music
CDs that secretly installed a rootkit on computers. This software
tool is run without your knowledge or consent -- if it's loaded on
your computer with a CD, a hacker can gain and maintain access to
your system and you wouldn't know it.

The Sony code modifies Windows so you can't tell it's there, a
process called "cloaking" in the hacker world. It acts as spyware,
surreptitiously sending information about you to Sony. And it can't
be removed; trying to get rid of it damages Windows.

This story was picked up by other blogs (including mine), followed
by the computer press. Finally, the mainstream media took it up.

The outcry was so great that on Nov. 11, Sony announced it was
temporarily halting production of that copy-protection scheme. That
still wasn't enough -- on Nov. 14 the company announced it was
pulling copy-protected CDs from store shelves and offered to replace
customers' infected CDs for free.

But that's not the real story here.

It's a tale of extreme hubris. Sony rolled out this incredibly
invasive copy-protection scheme without ever publicly discussing its
details, confident that its profits were worth modifying its
customers' computers. When its actions were first discovered, Sony
offered a "fix" that didn't remove the rootkit, just the cloaking.

Sony claimed the rootkit didn't phone home when it did. On Nov. 4,
Thomas Hesse, Sony BMG's president of global digital business,
demonstrated the company's disdain for its customers when he said,
"Most people don't even know what a rootkit is, so why should they
care about it?" in an NPR interview. Even Sony's apology only admits
that its rootkit "includes a feature that may make a user's computer
susceptible to a virus written specifically to target the software."

However, imperious corporate behavior is not the real story either.

This drama is also about incompetence. Sony's latest rootkit-removal
tool actually leaves a gaping vulnerability. And Sony's rootkit --
designed to stop copyright infringement -- itself may have infringed
on copyright. As amazing as it might seem, the code seems to include
an open-source MP3 encoder in violation of that library's license
agreement. But even that is not the real story.

It's an epic of class-action lawsuits in California and elsewhere,
and the focus of criminal investigations. The rootkit has even been
found on computers run by the Department of Defense, to the
Department of Homeland Security's displeasure. While Sony could be
prosecuted under U.S. cybercrime law, no one thinks it will be. And
lawsuits are never the whole story.

This saga is full of weird twists. Some pointed out how this sort of
software would degrade the reliability of Windows. Someone created
malicious code that used the rootkit to hide itself. A hacker used
the rootkit to avoid the spyware of a popular game. And there were
even calls for a worldwide Sony boycott. After all, if you can't
trust Sony not to infect your computer when you buy its music CDs,
can you trust it to sell you an uninfected computer in the first
place? That's a good question, but -- again -- not the real story.

It's yet another situation where Macintosh users can watch, amused
(well, mostly) from the sidelines, wondering why anyone still uses
Microsoft Windows. But certainly, even that is not the real story.

The story to pay attention to here is the collusion between big
media companies who try to control what we do on our computers and
computer-security companies who are supposed to be protecting us.

Initial estimates are that more than half a million computers
worldwide are infected with this Sony rootkit. Those are amazing
infection numbers, making this one of the most serious internet
epidemics of all time -- on a par with worms like Blaster, Slammer,
Code Red and Nimda.

What do you think of your antivirus company, the one that didn't
notice Sony's rootkit as it infected half a million computers? And
this isn't one of those lightning-fast internet worms; this one has
been spreading since mid-2004. Because it spread through infected
CDs, not through internet connections, they didn't notice? This is
exactly the kind of thing we're paying those companies to detect --
especially because the rootkit was phoning home.

But much worse than not detecting it before Russinovich's discovery
was the deafening silence that followed. When a new piece of malware
is found, security companies fall over themselves to clean our
computers and inoculate our networks. Not in this case.

McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it
doesn't remove the rootkit, only the cloaking device. The company
admits on its web page that this is a lousy compromise. "McAfee
detects, removes and prevents reinstallation of XCP." That's the
cloaking code. "Please note that removal will not impair the
copyright-protection mechanisms installed from the CD. There have
been reports of system crashes possibly resulting from uninstalling
XCP." Thanks for the warning.

Symantec's response to the rootkit has, to put it kindly, evolved.
At first the company didn't consider XCP malware at all. It wasn't
until Nov. 11 that Symantec posted a tool to remove the cloaking. As
of Nov. 15, it is still wishy-washy about it, explaining that "this
rootkit was designed to hide a legitimate application, but it can be
used to hide other objects, including malicious software."

The only thing that makes this rootkit legitimate is that a
multinational corporation put it on your computer, not a criminal
organization.

You might expect Microsoft to be the first company to condemn this
rootkit. After all, XCP corrupts Windows' internals in a pretty
nasty way. It's the sort of behavior that could easily lead to
system crashes -- crashes that customers would blame on Microsoft.
But it wasn't until Nov. 13, when public pressure was just too great
to ignore, that Microsoft announced it would update its security
tools to detect and remove the cloaking portion of the rootkit.

Perhaps the only security company that deserves praise is F-Secure,
the first and the loudest critic of Sony's actions. And
Sysinternals, of course, which hosts Russinovich's blog and brought
this to light.

Bad security happens. It always has and it always will. And
companies do stupid things; always have and always will. But the
reason we buy security products from Symantec, McAfee and others is
to protect us from bad security.

I truly believed that even in the biggest and most-corporate
security company there are people with hackerish instincts, people
who will do the right thing and blow the whistle. That all the big
security companies, with over a year's lead time, would fail to
notice or do anything about this Sony rootkit demonstrates
incompetence at best, and lousy ethics at worst.

Microsoft I can understand. The company is a fan of invasive copy
protection -- it's being built into the next version of Windows.
Microsoft is trying to work with media companies like Sony, hoping
Windows becomes the media-distribution channel of choice. And
Microsoft is known for watching out for its business interests at
the expense of those of its customers.

What happens when the creators of malware collude with the very
companies we hire to protect us from that malware?

We users lose, that's what happens. A dangerous and damaging rootkit
gets introduced into the wild, and half a million computers get
infected before anyone does anything.

Who are the security companies really working for? It's unlikely
that this Sony rootkit is the only example of a media company using
this technology. Which security company has engineers looking for
the others who might be doing it? And what will they do if they find
one?  What will they do the next time some multinational company
decides that owning your computers is a good idea?

These questions are the real story, and we all deserve answers.

This essay originally appeared in Wired:
<http://www.wired.com/news/privacy/0,1848,69601,00.html>
There are a lot of links in this essay.  You can see them on Wired's
page. Or here:
<http://www.schneier.com/essay-094.html>

These are my other blog posts on this:
<http://www.schneier.com/blog/archives/2005/11/sony_secretly_i_1.html>
<http://www.schneier.com/blog/archives/2005/11/more_on_sonys_d.html>
<http://www.schneier.com/blog/archives/2005/11/still_more_on_s_1.html>
<http://www.schneier.com/blog/archives/2005/11/the_sony_rootki.html>
There are lots of other links in these posts.