Please, no "good" software to fix the bad software [LWN.net]

Please, no "good" software to fix the bad software

Posted Nov 22, 2005 0:55 UTC (Tue) by felixfix (subscriber, #242)
In reply to: EFF? Good, maybe by ncm
Parent article: EFF Files Class Action Lawsuit Against Sony BMG

You wrote ... Maybe they can oblige Sony to add software to every future disc that offers to remove whatever was installed by the infected ones ...

No no no! Not only has it become apparent that their original rootkit was buggy, making me doubt they are competent enough to remove it safely, the original sin was installing software without asking. Even if they ask with the new "good" software, that is a terrible precedent to set. They need to provide the fix on an opt-in basis, and since the bad software has been phoning home, they surely know where most of the rootkits are. They need to take care of this the proper way, sending registered letters, sending email, whatever it takes, to get people aware of what Sony has done to them, and the removal fix must NOT come from Sony's web site. Sony is simply untrustworthy at this stage. The fix must come from some well known trusted site, for instance, the EFF itself, or a government agency.

(Log in to post comments)

Discovery

Posted Nov 22, 2005 5:16 UTC (Tue) by ncm (subscriber, #165) [Link]

Which part of "offers to remove", or "the code involved would have to be produced and signed by somebody appointed by the court, rather than Sony or F4I" was hard to understand? Nobody suggested that would be the whole of the settlement, just a source of continuing embarrassment for Sony.

Perhaps the real value in the lawsuit is in the discovery, which allows us to find out, e.g., how many machines are actually infected, including how many within the DOD, DOE, CIA FBI, Congress, White House, etc.

Discovery

Posted Nov 22, 2005 6:58 UTC (Tue) by hppnq (subscriber, #14462) [Link]

What exactly would be the point of this rather shady exercise? Really, I see no need to interfere with Sony's own rather succesful approach, let alone by way of forcing them to distribute another piece of malware. (There is also the tiny practical problem that your scheme forces everyone infected to acquire another cd from Sony.)

And are you suggesting that, if machines within US government turned out to be infected, this would really put the icing on the cake?! Things not bad enough as they are?

Discovery

Posted Nov 22, 2005 21:12 UTC (Tue) by ncm (subscriber, #165) [Link]

First, we already know that machines in gov't agencies are infected, we just don't know how many, although the number is probably large. There's nothing like counting them and publicizing that number to put the pols on notice that something criminal happened. Criminal prosecutions would be much better than ordinary lawsuits.

Second, I have no idea what you imagine to be "shady", or what you imagine to be successful about "Sony's approach". There is absolutely no way to communicate directly with all the people whose machines are infected, or to explain to them what it means to be infected. However, they are all known to purchase and (unwisely) install software from music CDs. Software to detect and uninstall an already-installed rootkit is much less tricky to write than to install one more-or-less successfully in the first place. Furthermore, it's much less risky, since the harm -- installing it -- has already been done. The worst that could happen is they need to re-install the OS, which is what they probably ought to do anyhow.

Again, nobody has suggested that this be the whole of the settlement.

Discovery

Posted Nov 22, 2005 22:45 UTC (Tue) by hppnq (subscriber, #14462) [Link]

There's nothing like counting them and publicizing that number to put the pols on notice that something criminal happened.

Uhuh. We haven't noticed anything yet.

Second, I have no idea what you imagine to be "shady", or what you imagine to be successful about "Sony's approach".

How about: distributing music cd's with software that messes up your computer? (You cannot step in the same stream twice. ;-)

There is absolutely no way to communicate directly with all the people whose machines are infected, or to explain to them what it means to be infected. However, they are all known to purchase and (unwisely) install software from music CDs.

I am intrigued now, I can see the Sony marketing department studying this scenario. Let's see, what would be more fun: selling the same cd twice, or finally being able to get rid of the music that nobody would be interested in otherwise? Or an entirely new song? "Shake your rootkit" by Michael Jackson, I would buy that.

Or shall we just stick with the boring old put-the-patch-on-the-website approach, and do it properly this time?

Discovery

Posted Nov 23, 2005 0:22 UTC (Wed) by ncm (subscriber, #165) [Link]

We haven't noticed anything yet.

Of course not. "50000 DOD and FBI computers infected by Sony spyware" would get headlines, but without a count, there's no headline.

Or shall we just stick with the boring old put-the-patch-on-the-website approach...?

That's fine if you want to end up with only one in five infected machines cleaned up. This isn't rocket science. Fortunately, the people at EFF are not uniformly thick.

Automated Fix

Posted Nov 23, 2005 9:11 UTC (Wed) by ncm (subscriber, #165) [Link]

It turns out that at least one of the rootkits involved, when it phones home, checks for updates, so Sony could, in principle, to ordered to "update" it out of existence, no CDs needed -- for machines that are connected to the net, anyhow. That probably means most of them, except of course the more important ones within the DOD, NSA, etc.