DHS: Sony rootkit may lead to regulation

Mon Feb 27 14:22:04 EST 2006

DHS: Sony rootkit may lead to regulation U.S. officials aim to avoid future 
security threats caused by copy protection software

News Story by Robert McMillan

FEBRUARY 16, 2006 (IDG NEWS SERVICE) - A U.S.  Department of Homeland
Security
official warned today that if software distributors continue to sell
products
with dangerous rootkit software, as Sony BMG Music Entertainment recently
did,
legislation or regulation could follow.

"We need to think about how that situation could have been avoided in the
first place," said Jonathan Frenkel, director of law enforcement policy for
the DHS's Border and Transportation Security Directorate, speaking at the
RSA
Conference 2006 in San Jose. "Legislation or regulation may not be
appropriate
in all cases, but it may be warranted in some circumstances."

Last year, Sony began distributing XCP (Extended Copy Protection) software
in
some of its products. The digital rights management software, which used
rootkit cloaking techniques normally employed by hackers, was later found to
be a security risk, and Sony was forced to recall millions of its CDs.

The incident quickly turned into a public relations disaster for Sony. It
also
attracted the attention of DHS officials, who met with Sony a few weeks
after
news of the rootkit was first published, Frenkel said. "The message was
certainly delivered in forceful terms that this was certainly not a useful
thing," he said.

While Sony's software was distributed without malicious intent, the DHS is
worried that a similar situation could occur again, this time with
more-serious consequences. "It's a potential vulnerability that's of strong
concern to the department," Frenkel said.

Though the DHS has no ability to implement the kind of regulation that
Frenkel
mentioned, the organization is attempting to increase industry awareness of
the rootkit problem, he said. "All we can do is, in essence, talk to them
and
embarrass them a little bit," Frenkel said.

In fact, this is not the first time the department has expressed concerns
over
the security of copy protection software. In November, the DHS's assistant
secretary for policy, Stewart Baker, warned copyright holders to be careful
of
how they protect their music and DVDs. "In the pursuit of protection of
intellectual property, it's important not to defeat or undermine the
security
measures that people need to adopt in these days," Baker said, according to
a
video posted to The Washington Post Web site.

Despite the Sony experience, the entertainment industry's use of rootkits
appears to be an ongoing problem. Earlier this week, security vendor
F-Secure
Corp. reported that it had discovered rootkit technology in the copy
protection system of the German DVD release of the American movie Mr. and
Mrs. Smith. The DVD is distributed in Germany by Kinowelt GmbH, according to
the Internet Movie Database.

Baker stopped short of mentioning Sony by name, but Frenkel did not. "The
recent Sony experience shows us that we need to be thinking about how to
ensure that consumers aren't surprised by what their software is programmed
to
do," he said.

Sony BMG officials could not immediately be reached for comment.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com