Intel Whitepaper: Improve Security and Control of Your PCs

Rethinking the Datacenter Sponsored by HP Today's datacenters need to increase utilization, get control over power and cooling costs, and align with business objectives. Download this eBook to learn about the challenges facing the data center in a world where digital information is growing at a torrid pace and costs are being held in check. Learn more. »     Putting the Green into IT Sponsored by HP Electricity use in data centers is skyrocketing, sending energy bills through the roof, creating environmental concerns and generating negative publicity. "Going Green" means looking to technologies like virtualization, energy-efficient chips and racks, and implementing policies that extend beyond the data center. Learn more. »     Managing the Modern Network Sponsored by HP In a global economy where information crosses the globe in an instant, and where Web-based applications power business, it's more important than ever to ensure your network is safe from threats and optimized to deliver the data your business needs. »     Evaluating Software as a Service for Your Business Sponsored by Webroot Is Software as a Service just hype, or is something really going on here? See if your company can benefit as SaaS tries to change the face of the enterprise. »     Is Your Disaster Recovery Plan Good Enough? Sponsored by HP Preparing for a disaster is more often than not part of the storage planning process, and it is one of the most difficult tasks, since it includes local hardware and software, networking equipment, and a test plan. Learn how to get disaster recovery right. »

eSecurity Glossary biometrics encryption keylogger malware phishing RFID security spyware virus worm Search for more eSecurity terms ...

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Enterprise Networking Planet Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Where was Sony's Privacy Officer?
November 21, 2005
By Ray Everett-Church

As this month's controversy over Sony's distribution of music CDs with flawed digital rights management (DRM) software continues to play itself out, the whole mess is already primed to become a classic case study in why corporations need competent Privacy Officers to keep them out of trouble.

According to news reports, about 20 different CD titles issued in recent months by Sony's BMG music distribution group have been outfitted with software called eXtended Copy Protection (XCP). Designed to thwart illegal copying of music files, more than two million CDs containing XCP were shipped, mainly to retailers in the United States.

If you're like tens of millions of music lovers around the world, you often use your computer as your CD player, choosing to manage your music through software like Apple's iTunes or Yahoo's Musicmatch.

But when you pop one of these new Sony CDs into your computer, you've taken the first step on a dangerous journey into privacy violations, security holes, draconian licensing agreements, and maybe even a broken computer.

Making use of the CD ''autorun'' feature -- the default setting on most Windows-based operating systems -- the Sony software starts up immediately when you insert one of the problematic CDs into your computer. During the autorun sequence, the XCP software quietly installs itself from the CD, without your explicit knowledge or permission, much like your run-of-the-mill virus or spyware application.

At this point in the story, let me note for the record that I don't know whether Sony has a privacy officer. But it hardly takes a doctoral degree in privacy to appreciate that in this era, anything with spyware-like installation behavior is probably going to get you into trouble.

The fact that nobody at Sony stopped this from happening suggests to me they may not have had someone on the team tasked with asking the kinds of privacy and security questions that would have raised red flags. When there's nobody to see the warning signs and no one empowered to pull the cord on the emergency brake, it becomes a lot harder to keep the train from running off the edge of the cliff.

In the case of Sony's software, the train was going to hit many bumps in the track before it launched itself over that cliff.

Security analysts discovered the XCP software opens a backdoor into your computer -- mimicking the behavior of a class of malicious software that security experts call a 'rootkit'.

These rootkits allow another party, in this case Sony, to secretly access your system via the Internet, allowing them to execute programs, gather information, and send back detailed information about your computer usage and other bits of potentially personal information about you.

In some instances, the risks posed by rootkits are considered negligible and theoretical. That wasn't the case with Sony's software.

According to one of my colleagues here at eSecurityPlanet, the bad guys already have figured out how to exploit it to seize control of PCs.

The story of Sony's dastardly DRM debacle doesn't stop there. Other security analysts have discovered even more problems. One investigator discovered that attempting to remove XCP caused his CD drive to be completely disabled. Another expert reported that using a removal tool for another type of DRM software used by Sony could cause yet another rootkit-type security hole to be left wide open.

Glaringly Obvious Problems

I can understand Sony's desire to protect its artists' music from being illegally copied. I even can understand their motivation for exploring DRM technologies like XCP.

But at every turn, the problems that have come to light are so glaring and so obvious that it's impossible to think that a competent pre-launch review of the privacy and security consequences wouldn't have caused them to shelve the idea until the problems were solved.

Instead, what has emerged in these past few weeks is a picture of a major corporation whose executives neither understood, nor cared, what negative impacts their poor decision making would have.

It's important to remember that plenty of good companies make mistakes. But in my book, what sets a good company apart from a bad one is how they react when their mistakes are discovered.

When interviewed on the radio, the president of Sony BMG's Global Digital Business, Thomas Hesse, said, ''Most people, I think, don't even know what a rootkit is, so why should they care about it?''

Note to Mr. Hesse: ''Who cares?'' is seldom a good response.

I'm betting that Mr. Hesse didn't know what a rootkit was before this issue arose, and from the tone of his comments, you can be sure he still doesn't understand the consequences of it. Unfortunately for him, the gross tonnage of what he doesn't understand about how his company screwed up only now is coming to light.

Security experts are estimating that, given the number of compromised CDs distributed by Sony, there could be more than half a million networks worldwide -- including critical systems at banks, universities, healthcare, and military installations -- where a simple attempt to listen to some music has resulted in computers being infected with Sony's rootkit. Now they're just sitting there waiting to be hacked.

Contempt for Consumers

Throughout the controversy, it has become quite clear that it never dawned upon Sony executives that they should give some thought to the risks to their brand and reputation, as well as the possible legal liabilities, arising from their DRM plans.

Looking more deeply at Sony's efforts to protect itself against music theft, however, suggests the problems are caused by more than just corporate ineptitude. A careful reading of the End User License Agreement (EULA) that is bundled with its music and software reveals a level of contempt for consumers that is truly breathtaking.

In an analysis of the Sony EULA posted by the Electronic Frontier Foundation, if you think you own the rights to play the music you just bought, you're sadly mistaken.

According to the EULA, you cannot transfer the music from the CD to your computer. If you ever lose the CD, you also lose any rights to listen to that CD on your iPod. If you move out of the country, fail to install any of Sony's rootkit software updates, or if you file bankruptcy -- yes, bankruptcy -- you must immediately delete the music.

Buckling under the weight of all the negative press, Sony has announced it is recalling all of its compromised CDs and will provide patches to fix security holes -- holes that Sony spokesmen still deny present any security risks at all!

Unfortunately, this entire episode suggests that Sony's executives aren't very clued into the concerns of consumers and haven't yet accepted the consequences of their poor decisions. This suggests to me that we probably haven't heard the last of Sony's invasive and intrusive DRM practices.

Now would be an excellent time for them to consider hiring a talented privacy officer to help them negotiate the difficult times they are still facing as the full scope of this mess begins to be understood.

Ray Everett-Church is Director of Email Policy for Habeas Inc., a provider of reputation services for email senders and receivers. He is a founder of CAUCE, an anti-spam advocacy group, and co-author of Internet Privacy for Dummies.

Tools:

Add www.esecurityplanet.com to your favorites Add www.esecurityplanet.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed

eBook: Evaluating Software as a Service for Your Business. Sponsored by Webroot
14-Day Qualys Trial: Find Out in Minutes if Your Network is Vulnerable!
Keep up with the latest business and technology news and information! Visit Internet.com.
Data Sheet: IBM Information Server Blade
Download: Solaris 8 Migration Assistant. Run Solaris 8 apps on the latest SPARC systems and Solaris 10.