Consolidating my thoughts on the Sony Rootkit
I've had conversations with a few people regarding the news of the Sony 'rootkit' and what it means to them. Here's where I'm at (if you're unfamiliar with the issue, read all about it here (technical) or here (for the non-techie)):
a) Sony's copy protection is malicious.
...on several levels, no less. This is the first point because I need to get it out of the way. Yes, I'm in full agreement that this is bad, no excuses! Sony personnel lied about what the software does, and were deceitful when asked directly about it. Only when cornered did they start to provide solutions, which were in some cases, worse than the original problem. And I should be clear: "Sony" didn't write a root kit. Who is "Sony"? People make up any company, and it's people that make decisions and take action. By extension, someone wrote this abomination, and worse, someone approved its use.
b) Our anti-spyware/anti-virus should have stopped this.
When I first started using a Macintosh seriously - around 1989 or 1990 - there were a few viruses that would target the Mac. A few, genuine viruses. The answer was Norton Anti-Virus, or "NAV". While there were other anti-virus programs out for the Mac, none worked quite as well as NAV. What did NAV do differently? In addition to looking for viruses by 'signature' - matching the binary code that lives inside of virus code - it also looked for any activity on your system that looked like it might be something underhanded. Something trying to format your disk? NAV would pop-up a message asking you if this action was legit. Is some program installing a file in a system directory (where it would run upon next start-up)? Again, a dialog box would ask you if this should be permitted or not. Regardless if you had current virus definitions, this action of having to confirm suspicious activity was enough to stop the spread of any virus or worm.
So, where is that kind of software today? The scenario I described with NAV existed on the Macintosh over 15 years ago! Long before the virus/worm problem is where it is today (which is also helped thanks to greater connectivity). My feeling is that while some software claims to root-out viruses this way (using 'heuristics'), the companies providing the software are too hung up on selling you the latest virus definitions. Of course, this provides them a nice annuity, keeps them in business identifying new virus strains and getting them into the newest definitions file.
Just keep in mind that, while I wouldn't recommend that anyone run a Windows box without anti-virus (while, ok, I do, but that's another story), Symantec, Panda, McAfee and the rest are in business. They're in the game primarily for their own interests, not yours.
c) No business user should be running with admin privileges or be able to install *anything*.
And this is the real nugget here, right? While what Sony did was wrong, the simple fact that plopping an audio CD in your machine requires your admin credentials to work should have set off warning bells long before it did. While the unwashed masses may not know any better and run as administrator, you're a business user and of course know better. All business machines should be centrally managed using Microsoft's Active Directory, Apple's OpenDirectory, Novell's eDirectory or similar directory service. Worse is that the rootkit wound up getting installed places that it should never have gotten to - goes to show how far we all have to go on the security front.
Machines get set up, machines get imaged, machines get rolled out, end of story (even in a 'small' business'). OK, there are valid exceptions to this, but the former should be the rule. The corollary to that rule is that end users do not run with admin privileges, and do not have access to an admin account that will let them install software. This goes for OS X machines, Windows, Linux or any multi-user OS.
Moral of the Story
The wrap-up to all of this is that the problems exist at several levels, none of which should be the case, but unfortunately is. The software should never have been written in the first place. It should have never been authorized for use. Windows shouldn't have holes that allow this sort of behavior. The software that we pay for to protect us against just this sort of thing should have been doing its job. No one should be running day-to-day with an admin account, and finally, if an action that should be harmless asks for your admin password, do not walk, but run away from that software.
Overall, it's about attentiveness. Being aware - on everyone's part. If you're talented enough to write software like this, you have a lot of options. Writing underhanded software can be discounted and moved away from. If you're on the receiving end of this, just as you wouldn't ignore a warning light or noise from your car (or bicycle, or train car, etc.), be aware of what your machine is doing and asking for. And finally, if your platform doesn't give you the level of security you need or like, move to another. There's very little excuse not to these days.
