[fc-discuss] Financial Cryptography Update: Sony v. their customers - who's attacking who?

iang@iang.org iang@iang.org
Tue, 1 Nov 2005 12:23:10 +0000 (GMT) 

 Financial Cryptography Update: Sony v. their customers - who's attacking who? 

                           November 01, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000590.html



------------------------------------------------------------------------

In another story similar in spirit to the Cuthbert case, Adam points to
Mark who discovers that Sony has installed malware into his Microsoft
Windows OS.  It's a long technical description which will be fun for
those who follow p2p, DRM, music or windows security.  For the rest I
will try and summarise:

http://www.emergentchaos.com/archives/001887.html
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-righ
ts.html

Mark bought a music disk and played it on his PC.  The music disk
installed a secret _root kit_ which is a programme to execute with
privileges and take control of Microsoft's OS in unknown and nefarious
ways.  In this case, its primary purpose was to stop Mark playing his
purchased music disk in various ways.

The derivative effects were a mess.  Mark knows security so he spent a
long time cleaning out his system.  It wasn't easy, well beyond most
Windows experts, even ones with security training, I'd guess.

No hope for the planet there, then, but what struck me was this:  _Who
was attacking who?_  Was Sony attacking Mark?  Was Mark attacking Sony?
 Or maybe they were both attacking Microsoft?

In all these interpretations, the participants did actions that were
undesirable, according to some theory.	Yet they had pretty reasonable
justifications, on the face of it.  Read the comments for more on this;
 it seems that the readers for the most part picked up on the dilemmas.

So, following Cuthbert, both could take each other to court, and I
suppose Microsoft could dig in there as well.  Following the laws of
power, Sony would win against Mark because Sony is the corporation,and
Microsoft would win against Sony, because Microsoft always wins.

Then, there is the question of who was authorised to do what?  Again,
confusion reigns, as although there was a disclaimer on the merchant
site that the disk had some DRM in it, what that disclaimer didn't say
was that software that would be classified as malware would be
installed.  Later on, a bright commenter reported that the EULA from
the supplier's web site had changed to _add a clause_ saying that
software would be added to your Windows OS.

I can't help being totally skeptical about this notion of
"authorisation."  It doesn't pass the laugh test - putting a clause in
an EULA just doesn't seem to be adequate "authorisation" to infect a
user's machine with a rootkit, yet following the spirit of Cuthbert,
Sony would be authorised because they said they were, even if after the
fact.  Neither does the law that "unauthorises" the PC owner to
reverse-engineer the code in order to protect his property make any
sense.

So where are we?  In a mess, that's where.  The traditional security
assumptions are being challenged, and the framework to which people
have been working has been rent asunder.  A few weeks ago the attackers
were BT and Cuthbert, on the field of Tsunami charity, now its Sony and
Mark, on the field of Microsoft and music.  In the meantime, the only
approach that I've heard make any sense is the Russian legal theory as
espoused by Daniel:  Caveat Lector.  If you are on the net, you are on
your own.  Unfortunately most of us are not in Russia, so we can't
benefit from the right to protect ourselves, and have to look to Sony
and Microsoft to protect us.

What a mess!

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/