[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Is the truth harmful? - THE OFFICIAL BLOG OF THE SBS "DIVA"
Thu, Nov 10 2005 17:57 bradley

Is the truth harmful?

The webopedia defines a rootkit as...

A rootkit is often used to hide utilities used to abuse a compromised system. These often include so called "backdoors" to help the attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to execute functions normally reserved for the superuser. All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems the compromised system communicates with such as sniffers and keyloggers. A common abuse is to use a compromised computer as a staging ground for further abuse. This is often done to make the abuse appear to originate from the compromised system or network instead of the attacker. Tools for this can include (D)DoS tools and tools to relay chat sessions, (spam)E-mail or attacks.

Recently, some spyware and even commercial CD DRM software (Sony's, for example) have started using rootkit technology to hide themselves from the anti-spyware software and make uninstallation difficult.

Recently on a listserve there was a discussion that came up about Sony DRM and Rootkits.  And it wasn't the typical conversation you might think.  It was about disclosure.  About the process of telling a vendor to clean up their act.  It was about asking if Mark Russovich had given Sony a chance to fix the problem.  It was about asking if what we ask about responsible disclosure for software companies applied equally to an entertainment company.  And it was an interesting exercise in stopping me in my tracks and asking myself...especially with the blurring of the lines between Entertainment and Software these days, did the technology industry, and in particular Mark do the responsible thing in handling this “rootkit”.  What this a blog event to be picked up in the media...or was this an event better handled a bit more quietly by notification of the vendor to allow for them to prepare a fix?  

But first, I'm still not quite sure about the 'black and white-ness' of the categorization of this as a rootkit.  I guess my problem is that I add an additional word to the front of the word rootkit.  It's a word that I .... well I think of this word as part of the basic definition of rootkit, but if you read the wikipedia definition...maybe not.

That word is “malicious”.  Similar to Spyware, there's a scale in my mind, a sliding scale that a software crosses over.  From the first step of not asking me, not informing me, all the way to stealing information from me, I guess in my mind the software that is defined as a 'rootkit' is down on that grey scale.  It's malicious, it's out to do me harm. 

In Sony's case, that file...it's intent... is to protect someone's intellectual property rights.  It's to keep others from stealing information, not to steal information from me.  So in Sony's case... the intent wasn't there.  While we'd all argue that Sony's implemenation of DRM was stupid, uninformed, is making us lose trust of the entire DRM movement, can we truly say they had malicious intent?  Even a guy at Sophos said What they did was not intentionally malicious“.  Okay so if they were not intentionally bad...but just stupid....was the process that they were informed...fair? 

So what's happened now?  It got blogged, picked up in the media, and now in fact, unfortunately in all this... bad guys are now using the public information that was disclosed on the web are now targeting this “rootkit' DRM software.  Have we harmed ourselves in 'outting this vendor' like this?  In not going to Sony and saying ..hey...can you clean up your act and disclose more of what you are doing?  Was this disclosure process fair to us, the folks trying to keep computer users safe out here?

Look at me.  I run a website called www.threatcode.com who's goal in life is to shame those vendors into cleaning up their acts.  Yes I personally have beta bugged and emailed Intuit, but does my 'outting' of them and other vendors like them, does the truth cause harm?  This is normally a non denominational blog..but it reminds me of a passage in the Bible that says “And you shall know the truth, and the truth shall make you free”.  In this case...did it?  Does this information made us free?  Or has it made us more untrusting of software programs and what not?  Has in in fact endangered us instead?  Does my web site endanger folks?

I will tell you this though...Sony blew the PR on this.  They weren't honest, their PR could have been a lot better on this.  I think this should be a lesson to all companies to handle things better..say “we screwed up“ rather than blowing off the concerns of the customers.  Sometimes throwing yourselves on the gauntlet of public opinion and saying “I'm sorry, we were stupid“ ... I think might have been better than how they did this.

Finally... I'm sorry .... anyone who buys a Neil Diamond record.... I think they deserve a bit of root-kit-ting don't you? 

Okay okay...kidding...just kidding..

Filed under:

# Flash advisory

Thursday, November 10, 2005 8:04 PM by TrackBack

# Great point - poor disclosure is poor disclosure.

Friday, November 11, 2005 8:40 AM by bradley

You know, I hadn't even thought about the obvious nature of this - it's a public disclosure of a security vulnerability. It's a really _bad_ security vulnerability - bad in terms of poor practice, rather than bad in terms of how much it can afflict you.

But there's a flip side to this. Is a vendor entitled to such a notification when it uses sleight-of-hand to install their software to begin with? If a worm or Trojan made its way into millions of systems, and suddenly was detected, even if it had no ill effects other than CPU use, you'd want to have it announced quickly.

There's an ambiguity here, in that Sony told Russinovich, in the EULA, that some software was to be installed, but it did not mention any of its functionality, intercepting the driver chain between the OS and the CD drive, and hiding files of specific names; as such, it seems like it might qualify under the description "Trojan horse" - you install it for one thing, but it does something else that you didn't expect and don't want, that is by the design of the software developer.

So, as a Trojan, it needs to be disclosed pronto, so as to be removable. As a security vulnerability in a vendor's product, the vendor needs to be informed. Which outweighs the other?

If this was Claria or some spyware company, would you have written this article?

# re: Is the truth harmful?

Friday, November 11, 2005 6:57 PM by bradley

Does anyone really think that if Mark had talked to Sony that this would have been fixed, addressed, etc? I seriously doubt it. The fact that they were sloppy with PR and were not honest about this should tell you something. They probably never expected many people to find out about this, but oops, someone did, and it was someone who knows Windows inside and out. Bad move Sony.

# The truth is not harmful, it is what it is.

Sunday, November 13, 2005 9:17 PM by TrackBack

I was about to blog in response to Susan Bradley's post "Is the truth harmful?" asking if XCP copy protection...

# The Truth? You can't handle the truth.

Thursday, November 17, 2005 4:19 AM by TrackBack

Was Sony BMG justified in deplying copy protection based on root-kit stealth technology?