Rootkit DRM Constitutes Security Malpractice

Sony BMG Music Entertainments use of a rootkit to hide its digital rights management software deep and undetectably within the operating system of users computers was wrong on many levels.

The fact that the Sony BMG rootkit is virtually uninstallable is a clear violation of Californias Consumer Protection Against Computer Spyware Act, and as such, it has led to several class action suits against Sony BMG.

More alarming than Sony BMGs implementation of the rootkit was the sloppiness of its code, which made any file beginning with the string “$sys$” undetectable—a weakness that has been exploited by virus writers.

/zimages/4/28571.gifClick hereto read more about the extent of Sony BMGs rootkit DRM distribution.

The fact that Sony BMG saw nothing wrong with unleashing software that would burrow into its users systems—and the companys initial lighthearted response to criticism of its DRM software—shows an ethical blind spot that is disturbing.

Somehow, Sony BMG executives did not grasp the notion that customers computers and the operating systems that run them are private property.

The company still does not seem to get it. Although Sony BMG has dropped its use of U.K. vendor First 4 Internets technology, the company is plowing ahead with other DRM schemes.

If a respectable company such as Sony BMG—which, historically at least, has cared very deeply about its public perception—will stoop to this level to protect content, adware and malware makers will not be shy about using similar tactics.

What should IT professionals do?

Good backup policies and image management will allow IT managers to quickly repair infected machines. Also, users must be educated not to install applications.

/zimages/4/28571.gifRead morehereabout user privileges and how they relate to security threats such as the Sony DRM.

But, more importantly, the Sony BMG DRM incident is a clear example of why more applications should become user-mode-friendly. User-mode applications are able to run with standard use rights, and they dont have the ability to write into operating system directories such as the Windows directory.

/zimages/4/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis InternetsSecurity IT Hub.

Applications, especially consumer applications, have no business tweaking the operating system, and they should not require administrator rights to run on a PC. But unless more consumers and IT managers demand user-mode applications, application vendors and adware makers will continue to invade PC operating systems at will.

Microsofts decision to create security tools to clean up the Sony BMG DRM mess is a nice gesture that the general public is likely to appreciate.

We think its worth remembering, however, that the origin of the current malady can be traced back to the dangerously lax security in the Windows XP operating system.

Nonetheless, Sony BMGs ill-advised foray into digital rights malpractice must not become the norm, and its stiff-necked failure to repent its sins should not be regarded as an acceptable response to its customers legitimate anger. The company should do better, and its competitors should learn from the markets reaction rather than following Sony BMGs bad example.

No one debates Sony BMGs right to its media assets, but the right to defend its content property rights does not include the right to invade and damage its customers PCs.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.