Shostack + Friends Blog Archive


Sony's Rootkit and the DMCA

Bruce Schneier has a good article [on his blog and] in Wired this morning, “Real Story of the Rogue Rootkit.” One aspect of the whole Sony story that’s not getting a lot of play is why we don’t see more of these things. Is Sony unique in their callous disregard of their customers, or are there more of these lurking? Clearly, Sony feels the same way about customers as your cell phone company: You’re a source of revenue to be locked-in and milked. Anyone who spent time in the internet bubble, hearing customers described as “sticky eyeballs,” understands that this view is not unique. (In stark contrast, I love our readers, and am happy each time I see more of you in the logs.)

So it seems reasonable to expect that Sony is not unique in placing nasty rootkits and malware on your computer. Over time, others have been discovered. (Richard Smith’s discovery of “CometCursor” springs to mind, but there have been others.) But I think what we’re discovering is likely a sample, not a complete list, and I’d like to explore the reasons for this.

The first reason is that Mark Russinoviches are rare. I’d estimate there are something between 500-2000 active, publishing security researchers who do the sort of reverse engineering that Russinovich did. This number, I suspect is higher than it has been previously, with a possible exception for the cracking gangs of the 80s, where the lower connectivity rates may have driven more people to learn to break copy-protection schemes. This isn’t even a back of the envelope calculation, but a seat of the pants gut check. I’d love to hear if anyone has done a real estimate.

The second, and I think more important reason is the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium Copyright Act. The law makes it hard to understand what research you can perform when copyright protection is involved. I speak from personal experience: I once bought a copy-protected CD with the intent of breaking the (privacy-invading) software on it. As I started my research, and read the DMCA, I realized that I was unsure of the legal ground I was on. Talking to attorneys versed in this, it came down to “How do you feel about being a test case?” I went away, and someone else solved the problem.

Clearly, this solution is a mixed bag. I’m very much in favor of people learning to explore the technologies that surround them. Discouraging skilled professionals from exploring the world is a bad idea. Given a set of possible projects, anything that starts with “consult with the lawyers” is going to fall by the wayside. That’s bad for privacy. It’s bad for protecting the computer infrastructure that helps keep things running. It’s bad for society.

3 comments on "Sony's Rootkit and the DMCA"

  • Iang says:

    Who’s attacking who? I think the notion of authorisation and relying on the EULA to give a vendor wide open permission to invade the OS is starting to look thin.

  • The Sony Rootkit Saga Continues

    I’m just not able to keep up with all the twists and turns in this story. (My previous posts are here, here, here, and here, but a way better summary of the events is on BoingBoing: here and here. Actually,…

  • 90% Crud says:

    Why you weren’t protected from Sony

    In an article for Wired News, Bruce Schneier asks:What do you think of your antivirus company, the one that didn’t notice Sony’s rootkit as it infected half a million computers? Mr. Schneier’s readers answered him:Many readers pointed out to me…

Comments are closed.