Why Didn't Security Firms Catch Sony BMG's Rootkit Earlier?

from the good-question dept

Bruce Schneier has written up an article for Wired News that highlights a very important question that has been totally ignored throughout the whole Sony BMG rootkit fiasco: how come no security applications caught the rootkit until after there was all this publicity about it and Sony gave them the code to find and remove it? ?It makes you wonder just how many other, malicious, offerings these firms are missing as well. ?Schneier blames the security companies for making the assumption that just because it’s from Sony and had a “legitimate” purpose, it was safe — which is a pretty big problem. ?Of course, another explanation is that many security firms are having difficulty keeping up with all the security vulnerabilities out there. ?None of these programs is yet able to be a comprehensive offering. ?That’s why so many of us have to run multiple security programs to have a chance at protecting a computer.


Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Why Didn't Security Firms Catch Sony BMG's Rootkit Earlier?”

Subscribe: RSS Leave a comment
8 Comments
BlindSide (user link) says:

Still the wrong appraoch

“…None of these programs is yet able to be a comprehensive offering. That’s why so many of us have to run multiple security programs to have a chance at protecting a computer.”

That’s because they still are not tackling the security issue from the right angle. Current security is reactive, coding for awareness of new specific issues. You’ll never win that game, there’s always a way to do something different.

Everyone would be way better off if they simply adopted the “least access” principle, or a more proactive appraoch. By default, security software should assume *everything* is a threat, then allow the user to systematically allow execution of those things they use. This is the guiding principle of smart firewall security, and can be deployed on a large scale (so the AOL grandmas don’t have to worry about it directly).

When you stop being reactive, and simply say “no” to everything that’s not explicity permitted, the entire problem disappears.

Chris says:

Re: Still the wrong appraoch

That’s because they still are not tackling the security issue from the right angle. Current security is reactive, coding for awareness of new specific issues. You’ll never win that game, there’s always a way to do something different.

The reason that AV companies use the model they do is simple, they can sell upgrades.

giafly says:

Re: Still the wrong appraoch

Re: When you stop being reactive, and simply say “no” to everything that’s not explicity permitted, the entire problem disappears.

Unfortunately another problem appears: you have to know what to permit. I share an office with a support team and it is amazing how many calls are due to pop-up blockers and spam filters that people don’t understand. And they’re the simple things!

If you use ZoneAlarm, you’ll know how difficult it is to decide which services should be permitted Internet access, when all you you know about them is a 5 or 6 character module name.

Tony says:

Re: Still the wrong appraoch

they still are not tackling the security issue from the right angle.

I’m not so sure there is a right angle. When have computers ever been “secure”?

Metaphor: having an open mind means the possibility of being “infected” with bad ideas, for a time at least. Computers have to live in the same world we all do. A closed mind may find “perfect security” in the comfort of knowing all the answers. This is, of course, insanity.

nonuser says:

another reason could be...

that Sony chose somewhat obscure, middle-of-the-road titles for XCP to dampen the rate of penetration, especially to techies who might discover the installation. For example, Sony owns rights to many of Miles Davis’ best recordings, but none are on the list published by the EFF:
http://www.eff.org/deeplinks/archives/004144.php
Instead Sony evidently put XCP on three jazz reissues, none of them too exciting. I actually bought “Silver’s Blue” but fortunately I only listen to audio CDs on my stereo (that’s where my handle comes from).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...