Techdirt. Stories filed under "rootkits" Easily digestible tech news... http://www.techdirt.com/ en-us Techdirt. Stories filed under "rootkits"http://www.techdirt.com/images/td-88x31.gifhttp://www.techdirt.com/ Thu, 7 Feb 2013 09:42:36 PST Canadian Chamber Of Commerce Wants To Legalize Spyware Rootkits To Help Stop 'Illegal' Activity Mike Masnick http://www.techdirt.com/articles/20130207/03465521908/canadian-chamber-commerce-wants-to-legalize-spyware-rootkits-to-help-stop-illegal-activity.shtml http://www.techdirt.com/articles/20130207/03465521908/canadian-chamber-commerce-wants-to-legalize-spyware-rootkits-to-help-stop-illegal-activity.shtml allowing rootkit spyware to be installed surreptitiously for the purpose of stopping illegal activity. As Geist notes, the last time this battle was fought, it was fresh on the heels of the Sony rootkit debacle, so there wasn't much support for these concepts. But, with a few years distance, the industry groups are trying again. Specifically they either want to remove language that prevents the surreptitious installation of spyware -- or they want specific exemptions. For example, in the case of the following, they argue spyware should be allowed:
a program that is installed by or on behalf of a person to prevent, detect, investigate, or terminate activities that the person reasonably believes (i) present a risk or threatens the security, privacy, or unauthorized or fraudulent use, of a computer system, telecommunications facility, or network, or (ii) involves the contravention of any law of Canada, of a province or municipality of Canada or of a foreign state;
Basically, as long as you claim that you're going after someone for breaking the law, surreptitious installs are allowed. Geist points out the obvious: copyright holders will salivate over this.
This provision would effectively legalize spyware in Canada on behalf of these industry groups. The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception. This exception could potentially cover programs designed to block access to certain websites (preventing the contravention of a law as would have been the case with SOPA), attempts to access wireless networks without authorization, or even keylogger programs tracking unsuspecting users (detection and investigation). Ensuring compliance with the law is important, but envisioning private enforcement through spyware without the involvement of courts, lawful authorities, and due process should be a non-starter.
If this works in Canada, expect to see similar provisions start popping up elsewhere around the world in short order.

Permalink | Comments | Email This Story
]]> this-is-a-bad-idea http://www.techdirt.com/comment_rss.php?sid=20130207/03465521908 Wed, 21 Nov 2007 17:40:28 PST Is It A Good Idea To Violate The Security Of Your Customers If They're Security Ignorant? Mike Masnick http://www.techdirt.com/articles/20071121/164444.shtml http://www.techdirt.com/articles/20071121/164444.shtml Rich Kulawiec writes in to point out that security expert Dan Geer is suggesting that merchants violate the security of customers they deem as security risks. His argument is, basically, that there are two types of users out there: those who respond "yes" to any request -- and therefore are likely to be infected by multiple types of malware doing all sorts of bad things -- and those who respond "no" to any request, who are more likely to be safe. Thus, Geer says merchants should ask users if they want to connect over an "extra special secure connection," and if they respond "yes," you assume that they respond yes to everything and therefore are probably unsafe. To deal with those people, Geer says, you should effectively hack their computer. It won't be hard, since they're clearly ignorant and open to vulnerabilities -- so you just install a rootkit and "0wn" their machine for the duration of the transaction.

As Kulawiec notes in submitting this: "Maybe he's just kidding, and the sarcasm went right over my (caffeine-starved) brain. I certainly hope so, because otherwise there are so many things wrong with this that I'm struggling to decide which to list first." Indeed. I'm not sure he's kidding either, but the unintended consequences of violating the security of someone's computer, just because you assume they've been violated previously are likely to make things a lot worse. This seems like a suggestion that could have the same sort of negative unintended consequences as the suggestion others have made about creating "good trojans" that go around automatically closing the security holes and stopping malware by using the same techniques employed by the malware. Both are based on the idea that people are too stupid to cure themselves, and somehow "white hat" hackers can help fix things. Now, obviously, plenty of people do get infected -- but using that as an excuse to infect them back, even for noble purposes, is only going to create more problems in the long run. Other vulnerabilities will be created and you're trusting these "good" hackers to do no harm on top of what's been done already, which is unlikely to always be the case. No, security will never be perfect and some people will always be more vulnerable -- but that shouldn't give you a right to violate their security, even if for a good reason.

Permalink | Comments | Email This Story
]]> asking-for-serious-trouble http://www.techdirt.com/comment_rss.php?sid=20071121/164444 Tue, 4 Sep 2007 10:08:30 PDT How The Record Labels Are Only Ten Years Behind In Their Thinking About Business Models Mike Masnick http://www.techdirt.com/articles/20070903/173857.shtml http://www.techdirt.com/articles/20070903/173857.shtml profile of Rick Rubin, the well-known producer who had tremendous success over the past twenty years producing all sorts of successful musical acts -- from the Beastie Boys to Slayer to Johnny Cash -- and who took over as the co-head of Columbia Records back in May. While the story itself is interesting and focused on some of Rubin's peculiarities and his key focus on finding and producing good music -- there are a few other interesting tidbits that come out. The first is how Rubin was completely pissed off at Columbia prior to joining the company because the Sony rootkit debacle hit just as a Neil Diamond album Rubin produced had come out to great fanfare. It was apparently number 4 on the charts -- the highest ever for a Diamond opening. Except, Columbia is a subsidiary of Sony BMG and so the Neil Diamond album was included among those that had the rootkit -- and the furor over that got it pulled from the shelves, and that basically killed its commercial prospects. So, at least we know that Rubin won't be a fan of such things.

However, the article suggests that Rubin and others in the industry are much more interested in setting up some sort of universal subscription system that would allow any subscribers access to any music on any platform. What's most amusing about this is that this is exactly the proposal the EFF suggested many, many years ago, which recording industry executives insisted would never work. What's even funnier is they might be right now, after managing to screw up all sorts of goodwill from customers. Back when the EFF suggested it, it probably still could have worked. However, Rubin is exactly right on where the industry is headed if it doesn't figure out these new business models quickly: "The future technology companies will either wait for the record companies to smarten up, or they'll let them sink until they can buy them for 10 cents on the dollar and own the whole thing." That's why I've always figured that things would work out in the end. If the RIAA members keep shooting themselves in their collective feet, then the problem will eventually take care of itself. Of course, the labels could avoid a lot of the problems if they learned how to actually embrace certain aspects of file sharing. It's not clear that Rubin (or anyone else in the industry) has gone that far yet. They're just still working through the ancient EFF plan they derided when it first came out. In fact, one of Rubin's other questionable ideas is setting up a fake word-of-mouth marketing organization, where Columbia has hired a bunch of young adults to promote their music online on blogs and in forums and such. Hasn't anyone explained to them that word-of-mouth is about people who legitimately enjoy the music -- not those who are paid to promote it? File sharing was legitimate word-of-mouth marketing. Hiring young adults to spam forums is not.

Permalink | Comments | Email This Story
]]> eventually-they'll-get-there http://www.techdirt.com/comment_rss.php?sid=20070903/173857 Tue, 28 Aug 2007 08:23:40 PDT Sony Caught In Yet Another Rootkit Mess? Mike Masnick http://www.techdirt.com/articles/20070828/025314.shtml http://www.techdirt.com/articles/20070828/025314.shtml original rootkit debacle (which really was more of a BMG issue than a Sony one) you would think that perhaps someone higher up at Sony corporate would have sent around a memo or something to all the rest of Sony, suggesting that they check around and make sure that none of their products had rootkit-like functionality. Either that didn't happen... or someone didn't get the memo. It appears that a line of USB flash drive sticks that Sony sold have been discovered to install rootkit-like functionality that hides a folder on users' computers. And, of course, just like the original Sony rootkit, this hidden folder is perfect for malware writers to use as hiding places for their malware. While this one probably isn't as big a deal as last time around, let's see if Sony figured out that brushing it off because no one knows what rootkits are isn't exactly the best response to such a discovery. In the meantime, this highlights (once again) how weak many security programs are that they don't automatically look for this type of action in order to prevent it from happening in the first place.

Permalink | Comments | Email This Story
]]> don't-they-know-to-check-for-these-things? http://www.techdirt.com/comment_rss.php?sid=20070828/025314