| 'We Own All Your Computers...' Media Police! FREEZE! Move your hands slowly away from the keyboard, keeping them visible at all times. Do not attempt to touch your mouse...
A rootkit is a program designed to hide the existence of other programs from the owner of the computer. The main users of rootkits are virus, spyware, and other malware writers - and, of course, malicious hackers covering their tracks. Eventually, after some sleuthing Russinovich discovered that the rootkit had been installed by a SonyBMG CD - VanZant's 'Get With The Man'. In this case the purpose of the rootkit was to hide the fact that the offending CD had changed the configuration of the operating system (Windows) by installing a new device driver. The CD was using a copy protection product called XCP written by a British company called First4Internet. Most of the tools used by hackers have legitimate uses as well as malicious ones. Rootkits, though, are one of the few programs that don't fall into this category. There are no legitimate uses for a rootkit. Once a rootkit is installed, anyone who knows about it can use it to hide things from the computers owner. You can easily imagine the alarm this news generated when Russinovich reported his findings in his blog! But finding the rootkit was only the start. When he tried to remove the driver he discovered that Sony had failed to provide an uninstaller, and that when the driver was removed manually, the computer stopped being able to access the CD drive. Worse, an examination of the driver code revealed that removing the driver could completely crash the computer. Sony's response to the revelation that they had been illicitly tampering with their customers' computers was summed up by a comment from Thomas Hesse, President, Global Digital Business, Sony BMG Music Entertainment: "Most people, I think, do not even know what a rootkit is, so why should they care about it?" To make things worse for Sony, it was then discovered that the software was contacting Sony when you played the CD. Sony promptly issued a denial that there was any code to contact them. This was followed by an equally prompt number of posts on the web containing detailed transcripts of the software communicating with a Sony server. Ooops! At this stage Sony backtracked and admitted that the software did indeed phone home, but that it was only to see if there was any updated artwork to display. I'd guess that was probably true, but by now, who was going to believe anything Sony told them? Needless to say, the sounds of class action lawyers sharpening their knives could be heard throughout the internet, though Sony seemed to be oblivious to the noise. By now the news of Sony's rootkit had spread far and wide and hackers were starting to sit up and take notice. First off the blocks were World of Warcraft Online hackers who developed a version of their cheat software that used the rootkit to hide their cheats from World of Warcraft's security program. Under attack from all sides - the story had by now reached the mainstream media - Sony produced an uninstall program to remove the rootkit, but not the driver itself. If you wanted to remove the driver you had to go to the Sony web site, jump through hoops and provide Sony with all sorts of information it had no right to ask for. Within another day or so the first viruses using the rootkit had appeared, and Sony belatedly began to realise that they couldn't just wait for this to go away. They announced that they had halted production of music CDs with this particular protection, and that they would 're-examine all aspects of our content protection initiative'. Even so, they still didn't plan to recall all the CDs with the rootkit on. By now a number of interesting sub-themes had emerged from this fiasco. For instance at one stage Sony was trying to claim that users had agreed to having the rootkit installed because it was in the end user license agreement (EULA). This caused a lot of argument about whether that was the case or not, though my feeling is that it wasn't. That debate, however, completely missed the main issue - since when have you had to agree to an end user license to listen to a music CD? Another other sub-theme that ran through the discussion - particularly in the blogs - was that of a conspiracy to seize control of people's computers by the big media companies. I'm sure big media would love to do that, but I don't think this was such an attempt. Never impute malice when greed and incompetence is sufficient! One little covered aspect of the affair was that you could defeat the copy protection by putting gaffer tape (duct tape for my US readers) onto the outer edge of the disk. I don't really recommend you do that, since disabling the autorun facility of the computer's CD drive will also stop the rootkit and DRM from autoloading, after which you can play the music with any software you choose. And finally, of course, those who bought legitimate CDs drew lessons from this affair that were very, very, worrying to the big media companies. The legitimate owners of the music had their computers made more vulnerable to malware and had made the operating system less stable. Those who obtained pirate copies over the net and didn't pay anything suffered no problems, and were OK. All this would have been bad enough, but the following week further revelations completely undermined all Sony's efforts at damage control. A number of people had been looking at Sony's code a little more closely, and what do you think they discovered? Nothing less than code taken from an open source MP3-encoder called LAME - in violation of its LGPL copyright license. And all this in the name of enforcing Sony's own copyright... By now even Microsoft had noticed what was going on. They let it be known that they had decided to classify the XCP copy protection system as spyware, since it met the 'objective criteria' Microsoft uses to assess potentially malicious programs. Being on the side of the good guys must have been quite a novel experience for Microsoft! While all this was going on Sony came under attack from a completely different direction - allegations of Internet 'price-rigging'. It emerged that Sony and other manufacturers have been accused of asking online retailers for 10-15 per cent more for wholesale electronic goods than they charge their bricks and mortar counterparts! Sony is already facing investigations by the UK's Office of Fair trading (OFT) and the European Commission over its pricing strategy. Meanwhile, back at the ranch, Sony finally bowed to consumer pressure and agreed to withdraw and replace all the CDs affected by the rootkit. According to Sony about 4 million copies had been manufactured, and some 2.1 million sold. But what of the compromised computers? Well, Sony eventually issued an 'uninstaller'. Hooray! Errrrrr, no actually. Security researchers soon discovered that the cure was even worse the disease. In this case the cure took the form of an Active X control installed via Internet Explorer. Unfortunately, the settings in the control will cause viewing a maliciously crafted web site to compromise the viewing computer. Those of you holding stock in First4Internet, purveyors of fine rootkits to media giants, may like to consider disposing of it as rapidly as possible :) By Christmas Sony was facing a slew of class-action suits, a possible action in Italy, and an action from the State of Texas. And to cap it all, one of its other copy protection programs, MediaMax, was also under the microscope and revealing its own set of problems. Eventually, in the hiatus between Christmas and the New Year details of the class action settlement in New York State slipped out. It was pretty harsh, and deservedly so. There was compensation for affected buyers of Sony CDs, software utilities to remove the offending copy protection, the recall of the XCP CDs and no manufacture of MediaMax CDs for at least two years. On top of this there were also a series of other measures agreeing not to collect personal information, and a waiver of rights obtained through the use of the EULA . I'm assured that rumours that Mr Hesse, quoted earlier, is retiring to spend more time with his rootkits, are totally unfounded. But the real unanswered question from this fiasco is one that the mainstream, and even the technical, press have been noticeably reluctant to ask. Why didn't the Anti-Virus companies spot this rootkit? It's not as though rootkits are some sort of never before seen new-fangled attack - they are old hat in the security world. Where were Symantic, McAfee, Computer Associates and their ilk while Sony was installing its rootkit? You can take your choice of answer here - incompetence or collusion with Sony. If just one or two of them had missed it I would have gone for incompetence, using Occam's Razor as a justification. However, in this case the fact that they all failed to report it to their paying customers smacks of collusion. If I were one of their customers, I would be demanding that the legal eagles look into the A-V companies' role in this affair. Finally the whole affair raises to a high profile one of the most fundamental questions. Who own your computer? You may think that having paid for it, you own it, but there are other contenders for this honour. In fact there are three completely different groups that lay claim to your computer - Microsoft, the media conglomerates, and last but not least, you. Waiting in the wings for an opportunity to put in its own claim is your government. The problem is, you see, that general purpose computing machines are just that - general purpose - and this means they can be configured to do just about anything. This is great from your point of view as the owner, but a total nightmare for all the others. Microsoft relies on being able to control the operating system to lock you into its products. The media companies rely on control of the creative assets to make lots of money, and the government is generally uneasy about what you might do with all that computing power - look at the struggle over encryption, for instance. This three-way (maybe four-way in the not too distant future) struggle isn't going to be resolved in a hurry. And really it's only the latest episode in an saga going back to at least mediaeval times when control over people's lives was contested for by monarchs, trade guilds and the mob. As the Christian Bible so aptly puts it: '...and there is no new thing under the sun.'*
"Alan, Alan, wake up, it's time to get up!"
* The Book of Ecclesiastes, Chapter 1, verse 9 |
If you have any questions or comments about the articles on my web site, click here to send me email. |