Sony's Rootkit and the DMCA
Bruce Schneier has a good article [on his blog and] in Wired this morning, “Real Story of the Rogue Rootkit.” One aspect of the whole Sony story that’s not getting a lot of play is why we don’t see more of these things. Is Sony unique in their callous disregard of their customers, or are there more of these lurking? Clearly, Sony feels the same way about customers as your cell phone company: You’re a source of revenue to be locked-in and milked. Anyone who spent time in the internet bubble, hearing customers described as “sticky eyeballs,” understands that this view is not unique. (In stark contrast, I love our readers, and am happy each time I see more of you in the logs.)
So it seems reasonable to expect that Sony is not unique in placing nasty rootkits and malware on your computer. Over time, others have been discovered. (Richard Smith’s discovery of “CometCursor” springs to mind, but there have been others.) But I think what we’re discovering is likely a sample, not a complete list, and I’d like to explore the reasons for this.
The first reason is that Mark Russinoviches are rare. I’d estimate there are something between 500-2000 active, publishing security researchers who do the sort of reverse engineering that Russinovich did. This number, I suspect is higher than it has been previously, with a possible exception for the cracking gangs of the 80s, where the lower connectivity rates may have driven more people to learn to break copy-protection schemes. This isn’t even a back of the envelope calculation, but a seat of the pants gut check. I’d love to hear if anyone has done a real estimate.
The second, and I think more important reason is the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium Copyright Act. The law makes it hard to understand what research you can perform when copyright protection is involved. I speak from personal experience: I once bought a copy-protected CD with the intent of breaking the (privacy-invading) software on it. As I started my research, and read the DMCA, I realized that I was unsure of the legal ground I was on. Talking to attorneys versed in this, it came down to “How do you feel about being a test case?” I went away, and someone else solved the problem.
Clearly, this solution is a mixed bag. I’m very much in favor of people learning to explore the technologies that surround them. Discouraging skilled professionals from exploring the world is a bad idea. Given a set of possible projects, anything that starts with “consult with the lawyers” is going to fall by the wayside. That’s bad for privacy. It’s bad for protecting the computer infrastructure that helps keep things running. It’s bad for society.