Tag Archives: software installation

The Smell of Sterile Burning

There’s a growing noise about Sony’s apparent attempt to install digital rights management software usually associated with bad guys trying to maintain control of a compromised computer: Mark’s Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far:

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.

The comments below Mark Russinovich’s post reveal not only growing frustration with such clumsy attempts to control what users do with CDs they buy from legitimate sources, but it may also prompt a class-action suit against the company in the U.S. since early versions of the End User Licence Agreement on the software may not have covered such software installation. A representative of SF-based Green Welling LLP has posted a comment asking to hear from “any California residents that have experienced this problem before the EULA was changed. We have looked at many DRM cases and Sony went too far with this particular scheme”. (The End User License Agreement originally, according to Russinovich, made “no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall”.) Bruce Schneier asks whether Sony may have “violated the the Computer Misuse Act in the UK? If this isn’t clearly in the EULA, they have exceeded their privilege on the customer’s system by installing a rootkit to hide their software.”

Sony deny that their software is malware or spyware: Their FAQ says “the protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement.”

According to eWeek, the technology has a name: ‘sterile burning’. And it’s built by a British company called First 4 Internet, whose CEO, Mathew Gilliat-Smith, is quoted as saying it’s not a rootkit but part of a copy protection system designed to balance security and ease of use for the CD buyer. First 4 Internet call it XCP for Extended Copy Protection which “aims to provide effective levels of protection against the unauthorised copying of digital audio and data files without compromising sound quality and playability. XCP helps to protect the rights of Artists and Record Labels while accommodating consumer needs for ‘fair use’ copying.” More specifically, it

protects the content of an audio disc without compromising playability or quality. By using a range of methodologies, including the construction of multiple protection layers, limiting the ROM player accessibility to the provided player software and encapsulating the Red Book audio content, XCP can be used by content owners to help protect digital content from unauthorised copying.

It was first shipped by Sony BMG in March. A new version has been developed with features which, eWeek says, “respond to many of the questions Russinovich raised in his analysis” and will be available in new Sony BMG CDs. But will it be too late by then? Who in their right mind would risk buying a Sony BMG CD?

The Grim Reality Of The Phishers

Good piece in this month’s US Banker magazine on phishing. Some tidbits:

Phishing is getting more and more sophisticated. I’ve detailed some of those tricks in this blog, but here’s one I hadn’t heard of:

Crooks [the unfortunately named Ted Crooks, vp of identity protection solutions at Fair Isaac] says that “the level of cleverness is disturbing.” He notes how in one phishing scheme, phishers sent out an e-mail that requested sensitive information and to prove to customers the request was legitimate included two numbers the phishers said were the last two digits of each customer’s account number. As Crooks points out, a random two-digit combination has a one in 100 chance of being right, so if a phisher sent such an e-mail to one million users, 10,000 people’s accounts will match those two numbers.

Another thing regular readers will know is the sometimes absurd figure attached to losses associated with phishing:

TowerGroup estimates that direct fraud losses attributable to phishing will top $137.1 million globally in 2004, a figure far below widely cited levels of $1 billion and just a fraction of the total fraud at banks.

But I guess what is worrying is that phishers will start to target those smaller institutions that don’t have the clout to do much about it:

TowerGroup predicts the number of phishing attacks will top 31,300 in 2004 and rise to more than 86,000 by 2005 as they spread to smaller institutions, new merchant/service-provider categories, and new global markets.

Then there’s the need for banks to do more. Consumers don’t believe they are doing so, and I sometimes wonder whether the reason that banks give for not introducing more complicated and multi-layered log-in processes — that users don’t like it — is just an excuse. There are some interesting new approaches being tried out there:

Acknowledging the reality of what consumers will and will not do, Associated Bank, a $20 billion bank in Green Bay, WI, has implemented a voice biometric technology from Authentify to securely pass sensitive information to customers via the Internet. By logging onto the Web site to receive a PIN, a phone call is activated to the customer’s home or office. When the customer answers the phone, the voice biometric verifies that it is the customer and not a phisher requesting the PIN. This confirmation doesn’t require the customer to do anything out of the ordinary. It requires no training, no cost and no software installation.

Other efforts are being focused on foiling the phishers at their own point of sale:

One novel phishing countermeasure utilized by Cyota is bombarding the phishing Web site with bogus customer information. “It looks like real user names and passwords, but it’s just a hodgepodge,” [Cyota CEO Naftala] Bennett says. It compromises the phisher’s data, making it a painstaking process to sort out the legitimate accounts. “We want to change the equation for them. We want to make it harder to use the data and put them at risk of selling bad data to their customers,” Bennett says.

The bottom line, however, is well expressed by Gene Neyer, head of the Financial Services Technology Consortium’s counterphishing effort:

“Phishing has become a problem overnight because it has leveraged the infrastructure of spam,” says the FSTC’s Neyer. “And like spam, the concern is that with phishing every countermeasure spurs technology to get around the countermeasure. Unfortunately, scams that rely on social engineering can never be eliminated, but practical, tactical strategies can be put in place.”