Sony Rootkit Fiasco Prompts Federal Warning

The U.S. Department of Homeland Security has warned software distributors they may be regulated if they sell products using rootkit-like technologies.

At the RSA Conference 2006 in San Jose, Department of Homeland Security official Jonathan Frenkel warned that if software distributors continue to distribute rootkit-like software designed to circumvent or defeat computer security measures, legislation or regulation may be necessary to rein in their practices.

Frankel was discussing the 2005 incident where XCP copy protection software embedded on selected Sony BMG music titles was found to compromise the security of Windows computers, and was later exploited by Windows malware. The software also installed itself without disclosing its presence and was difficult for users to remove without severely compromising Windows. The incident proved to be a public relations fiasco for Sony, whose repeated attempts to obscure, downplay, and minimize the issues only put more egg on their faces. Sony has since withdrawn the products and is working to settle private, state, and class action lawsuits.

“We need to think about how that situation could have been avoided in the first place,” said Frenkel. “Legislation or regulation may not be appropriate in all cases, but it may be warranted in some circumstances.” DHS officials reportedly met with Sony after news of XCP copy protection woes broke to express strong concerns over the product, but have not taken any formal action.

One open question is what the U.S. government or the Department of Homeland Security could do to prevent similar incidents in the future. Although Sony BMG was clearly cognizant of the technology in the XCP copy protection software, there is no reason to suspect the company distributed the digital right management system with the deliberate intent of compromising the security of customers’ computers (as much as Sony did desire to limit users’ ability to use their computers in ways it felt impinged on Sony’s rights). Any number of software products may contain bugs and loopholes which compromise user security, often in interoperation with other products. It’s unknown to what degree regulation or legislation could prevent those holes from being discovered and exploited; further, industry watchers note any civil, criminal, or regulatory penalties may simply serve to stifle product development and innovation as firms weigh the costs of new liabilities against their product development plans.

Despite the Sony fiasco, rootkit-like copy protection schemes don’t seem to be going away. Security developer F-Secure reported that it had found similar copy protection technology developed by Settec on a German DVD release of the film Mr. and Mrs. Smith.