Why Didn't Security Firms Catch Sony BMG's Rootkit Earlier?
from the good-question dept
Bruce Schneier has written up an article for Wired News that highlights a very important question that has been totally ignored throughout the whole Sony BMG rootkit fiasco: how come no security applications caught the rootkit until after there was all this publicity about it and Sony gave them the code to find and remove it? ?It makes you wonder just how many other, malicious, offerings these firms are missing as well. ?Schneier blames the security companies for making the assumption that just because it’s from Sony and had a “legitimate” purpose, it was safe — which is a pretty big problem. ?Of course, another explanation is that many security firms are having difficulty keeping up with all the security vulnerabilities out there. ?None of these programs is yet able to be a comprehensive offering. ?That’s why so many of us have to run multiple security programs to have a chance at protecting a computer.
Comments on “Why Didn't Security Firms Catch Sony BMG's Rootkit Earlier?”
DMCA, perhaps?
It seems to me there would be a hesitancy to include removal of Sony’s rootkit via {spyware|virus|malware}-removal tools due to fear of DMCA liability. Especially in the beginning when all the details were still fuzzy.
Still the wrong appraoch
“…None of these programs is yet able to be a comprehensive offering. That’s why so many of us have to run multiple security programs to have a chance at protecting a computer.”
That’s because they still are not tackling the security issue from the right angle. Current security is reactive, coding for awareness of new specific issues. You’ll never win that game, there’s always a way to do something different.
Everyone would be way better off if they simply adopted the “least access” principle, or a more proactive appraoch. By default, security software should assume *everything* is a threat, then allow the user to systematically allow execution of those things they use. This is the guiding principle of smart firewall security, and can be deployed on a large scale (so the AOL grandmas don’t have to worry about it directly).
When you stop being reactive, and simply say “no” to everything that’s not explicity permitted, the entire problem disappears.
Re: Still the wrong appraoch
That’s because they still are not tackling the security issue from the right angle. Current security is reactive, coding for awareness of new specific issues. You’ll never win that game, there’s always a way to do something different.
The reason that AV companies use the model they do is simple, they can sell upgrades.
Re: Still the wrong appraoch
Re: When you stop being reactive, and simply say “no” to everything that’s not explicity permitted, the entire problem disappears.
Unfortunately another problem appears: you have to know what to permit. I share an office with a support team and it is amazing how many calls are due to pop-up blockers and spam filters that people don’t understand. And they’re the simple things!
If you use ZoneAlarm, you’ll know how difficult it is to decide which services should be permitted Internet access, when all you you know about them is a 5 or 6 character module name.
Re: Re: Still the wrong appraoch
The easy way to deal with that is to automatically disallow it. If something quits working right, then you know you disallowed the wrong thing and it is fairly simple to allow it net access again.
Re: Still the wrong appraoch
they still are not tackling the security issue from the right angle.
I’m not so sure there is a right angle. When have computers ever been “secure”?
Metaphor: having an open mind means the possibility of being “infected” with bad ideas, for a time at least. Computers have to live in the same world we all do. A closed mind may find “perfect security” in the comfort of knowing all the answers. This is, of course, insanity.
another reason could be...
that Sony chose somewhat obscure, middle-of-the-road titles for XCP to dampen the rate of penetration, especially to techies who might discover the installation. For example, Sony owns rights to many of Miles Davis’ best recordings, but none are on the list published by the EFF:
http://www.eff.org/deeplinks/archives/004144.php
Instead Sony evidently put XCP on three jazz reissues, none of them too exciting. I actually bought “Silver’s Blue” but fortunately I only listen to audio CDs on my stereo (that’s where my handle comes from).
No Subject Given
Isn’t it just one big company who owns everything?
Could be why it wasn’t caught.