Shostack + Friends Blog Archive

 

Macs and Sony's Rootkit

[Update: Welcome Wired readers! If you enjoyed Bruce Schneier’s article on who’s responsible for security flaws, please explore a little. The economics [emergentchaos.com/archives/cat_economics.html] of security [emergentchaos.com/archives/cat_information_security.html] and privacy [emergentchaos.com/archives/cat_privacy.html] issues are an ongoing theme.]

sony.jpg
It wasn’t a plan that I was going to slag Apple this week. Really, I’m fond of my Mac, I’m just tired of claims that it’s somehow über-secüre. Now it comes out [link to http://www.macintouch.com/#tip.2005.11.10.sony no longer works] that Sony has licensed technology from SunnComm to rootkit your Mac. It’s harder for Sony to install, because (unlike a PC) they need you to authorize the installation. It’s possibly less damaging than on the PC, but we don’t yet know what the two kernel extensions do. The Unofficial Apple Weblog suggests that they’ll be disassembled, and I hope they’re right.

Comments in “Unintended consequences of DRM” suggest that the password is important, and while it is, I’m not sure how many people won’t just type their password on demand.

Previous posts about Apple security have been: “Kudos to Microsoft, Brick-brats to Apple” and “The Approaching Apple OSX86 Security Nightmare.”

14 comments on "Macs and Sony's Rootkit"

  • Saar Drimer says:

    less users = less security bugs found.
    same for mac, firefox or any other “little” used software (

  • Saar Drimer says:

    Adam,
    1. the link in my comment above isn’t undelined, so it is harder to tell it is one.
    2. when i check the “remember me” box, it doesn’t.
    fyi.
    cheers.

  • Daedala says:

    My understanding is that you have to look on the CD for Start.app and run it manually. It doesn’t auto-install. Not much Apple can do about people deliberately installing random stupid apps, or manufacturers that lie about what those apps do.

  • derbbre says:

    If you pick a piece of software off a CD, double-click it, and give it your admin username and password to install, then you shouldn’t complain about security. Bad security is Windows’ delight in installing apps behind your back without even so much as a how-do-you-do, NOT a program which requires an admin password to instll. NO system will be secure against user ignorance.

  • TomCS says:

    I still want to know precisely what the Suncomm puts on my Mac if I am convinced that I want to “benefit” from the “advantages” which signing the EULA and loading the two programs offer. In fact I’m almost more worried about us all nodding through the Suncomm version of DRM, and so endorsing a de facto standard for “acceptable” audio disc DRM, while exulting at the defeat of the crass Windows rootkit variety. A conspiracy theorist would argue that the rootkit is so indefensible that it must be running interference for the real attack.
    I want to know what the Mac software is and what it does, and I want any audio disc which seeks to install any such software to give me a clear description of what it is and provide a simple and complete uninstaller. I want to know if it has a “phone home” capacity (in which case it’s a spyware), whether it only runs when I insert an audio disc, or whether it’s sitting there burning cycles all the time (in which case I want at least to have given explicit agreement). I want to know explicitly how severely it restricts my copying and media-shifting rights.
    At the very least there is an honesty in labelling issue here, which may well make the EULA moot: I can only give my consent to what is explained to me.
    So let’s get to the bottom of Sony/Suncomm as well, and work out a response that covers what is objectionable there as well.

  • TomCS says:

    I still want to know precisely what the Suncomm puts on my Mac if I am convinced that I want to “benefit” from the “advantages” which signing the EULA and loading the two programs offer. In fact I’m almost more worried about us all nodding through the Suncomm version of DRM, and so endorsing a de facto standard for “acceptable” audio disc DRM, while exulting at the defeat of the crass Windows rootkit variety. A conspiracy theorist would argue that the rootkit is so indefensible that it must be running interference for the real attack.
    I want to know what the Mac software is and what it does, and I want any audio disc which seeks to install any such software to give me a clear description of what it is and provide a simple and complete uninstaller. I want to know if it has a “phone home” capacity (in which case it’s a spyware), whether it only runs when I insert an audio disc, or whether it’s sitting there burning cycles all the time (in which case I want at least to have given explicit agreement). I want to know explicitly how severely it restricts my copying and media-shifting rights.
    At the very least there is an honesty in labelling issue here, which may well make the EULA moot: I can only give my consent to what is explained to me.
    So let’s get to the bottom of Sony/Suncomm as well, and work out a response that covers what is objectionable there as well.

  • Joachim says:

    Aloha!
    Saar Drimmer says:
    less users = less security bugs found.
    same for mac, firefox or any other “little” used software
    But that is not true. There is no proven linear relationship between number of users and number of security problems.
    The Apache webbserver vs IIS is one example to the contrary. I.e. I don’t agree with your the posting you linked to either.
    There are many factors to consider for security problems, for example:
    (1) Number of bugs in the application.
    (2) Number of exploitable bugs. (I.e the type of bug).
    (3) Number of users.
    (4) OS/SW environment that might mitigate/eliminate the problem.
    (5) Type of attack/exploit considered.
    Life aint linear.

  • Jen Z. says:

    Joachim is correct. What Mr Drimmer claims is not factually true or even logically consistent. Plus (perhaps English is not his first language – if so I apologize) it’s always “fewer” – not “less” – when modifying a quantity.

  • dwardoh says:

    Jen Z sez:
    “Plus (perhaps English is not his first language – if so I apologize) it’s always “fewer” – not “less” – when modifying a quantity.”
    A better explanation: “fewer” is properly used with ‘count’ nouns, e.g., fewer users, fewer bugs, fewer of things that you can count 1, 2, 3…; “less” is used with ‘mass’nouns, e.g. less popularity, less aggravation, less sugar in your tea, less of any thing unmeasured in units.
    Perhaps Saar learned his English at the supermarket, standing in the “8 items or less” line.

  • sithlord says:

    i think what Saar Drimmer wanted to say was : if there’s only a few users for a software, you are “aware” only of a few security bugs. that doesn’t mean that there are actually a few bugs but that mean that you only kown a few bugs. when several millions people use window$, they use with very diferents ways so security bugs are shown easily .

  • Rafael says:

    Hello …
    English is NOT my first languaje so, please, excuse me if i don´t write correctly.
    >less users = less security
    >bugs found.
    I agree with saar … thats wrong.
    More security = less security bug funds
    The security bugs didn´t depends on the number of the users, only depends on the quality of the product.
    … or maybe …
    If a product has a high quality it will have fewer bugs and probably these bugs will be quick and well corrected.
    The users only discover the real quality of the product.
    For examle: TODAY linux and mac are more secure than windows … u can say “there will be one day when linux become less secure than windows” … maybe, but today the facts says that linux is more secure.

  • Timothy says:

    Saar Drimmer says: less users = less security bugs found.
    Joachim responded well to this, but there’s another factor: with open source projects, more users => more developers, although again probably not linearly.

  • Lurkily says:

    For those of you that already get what Saar said, this isn’t for you – I’m trying to make *perfectly* clear what he said, for those who obviously still misunderstand.
    I agree totally with Saar. But I do not agree with the statement that an application or OS with fewer users is, de facto, more secure.
    Fewer users != fewer security bugs.
    Fewer users == fewer security bugs FOUND.
    ( By the by, != is not equal to, == is equal to. )
    Saar is NOT saying the number of users has anything to do with the quality or security of an application – only with how well-explored those flaws are. He is trying to say that due to a smaller user base, Macs or indeed any application or OS may be far less secure than is commonly believed.
    Alternately, an OS or app like MS Windows, due to a massive user base and constant probing, has its’ every secret exposed almost immediately, making it seem less secure than it may be.

  • Me says:

    Why do you think Saar is a he? Is it because less != fewer?

Comments are closed.