[conspire] Sony rootkit scandal of 2005 (was: Request to mailing list conspire rejected)

Rick Moen rick at linuxmafia.com
Sun Mar 24 23:45:53 PDT 2019 

Quoting Texx (texxgadget at gmail.com):

Redirecting back on-list because of coverage of the lessons of the 2005
Sony malware scandal.

> Actually I missed the post with your research on it.

Twice.

> I cant afford $100 a year for AV software, and the compter avail to me is
> an MS one.

I'm not a useful person to ask for Microsoft Windows advice, having
blown away Windows for Workgroups 3.11 around 1993 and never using it on
machines of my own again.  (At Cadence Design Systems in the 2000s, I
ran Debian on my work ThinkPad but a small virtual machine of MS-Windows
XP Pro underneath VMware Workstation 5.5, using the company
site-licensed copy, and it doubtless had some sort of built-in security
stuff, but I took no interest in that, as I used the virtual machine
only for Outlook, to use company mail and calendars, and MSIE, for one or
two haplessly ActiveX-dependent intranet sites.)

The last time I ran native MS-Windows on a work machine was the
aforementioned Windows for Workgroups 3.11 in the late 1980s and early
1990s, when I was an MIS staffer (MIS being what people now call IT).
The firm preloaded McAfee VirusScan, but I made a reasonable judgement
that I'd be better off disabling it and testing my theory that one could
avoid MS-Windows malware by just paying attention to what one is doing
and not _executing_ malware.  (There were other details, omitted here
for brevity.)  I made sure my backups were always current, made sure I
has master installation media for all of my software, and ran the
experiment.  It was highly successful, so I switched off the
stability-destroying, performance-robbing McAfee software permanently
and went with None of the Above.


> I cant afford to go out and buy a new linux box, it appears nothing I
> have is up to the task of Linux.  So Im stuck with MS and the only AV
> I can afford.  I notice that Avast DOES have a better record of AV
> than most paid products.
> 
> Since you consider my choice "slimeball" I would be interested in what
> your suggestion would be.

Actually, I referred to the _firm_ as a fleabag antimalware company,
that opinion being based on their antisocial behaviour of automatically
defaulting to adulterating all of your outgoing e-mail with advertising.
That is a disreputable thing for them to do, irrespective of whether
there's a way to turn it off.

Unfortunately, fleabag behaviour from antimalware companies is extremely
common.  I have an extremely low opinion of the general run of such
companies, as their ethical standards tend to be grossly broken.

Here's a data point:  In 2005, security researcher Mark Russinovich
stumbled upon the fact that Sony BMG Music Entertainment was covertly
hiding MS-Windows malware onto Sony music CDs, as part of a
copy-prevention scheme to manipulate users.  (Copy prevention is what
the IT press refers to by the Orwellian name 'copy protection', though
it doesn't protect copies, but rather aims to prevent them.)  This was a
huge story in the press of the day, but the _really_ interesting related
story is the one uncovered by Bruce Schneier and others after
Russinovich made his shocking initial discovery:  They pointed out:

Hey, wait,  The particular malware (a 'rootkit') that Sony snuck onto
half a million users' Windows PCs was one that was well known to
antivirus companies, so why didn't they detect and remove it?  Hey,
guys, where was the malware protection?

Schneier looked into this.  Nothing but silence or spin-control from the
companies in question.  Why?  Because they knew perfectly well what Sony
was doing, and that it was exactly what their antivirus software was
supposed to detect, warn about, and fix, but kept silent and did nothing
for corrupt, unethical reasons, shafting their own customers to collude
with Sony.  Among the guilty parties in this sad picture was Microsoft
itself, which was proved to have detected the malware and deliberately
did nothing.

In his article, Schneier listed zero ethical antivirus companies and
two ethical security-monitoring companies _only_, ones that did the
right thing and raised the alarm about Sony's rootkit: F-Secure, and
Sysinternals (Mark Russinovich's blog site).  I would add a third outfit,
ClamAV, the open-source antivirus suite.

https://web.archive.org/web/20051201051328/http://www.wired.com:80/news/privacy/0,1848,69601,00.html

(That's Schneier's expose for _Wired_, well worth your reading.)

The point is, except for F-Secure, Sysinternals, and ClamAV, all of the
major antivirus and security-monitoring outfits of the day were
culpable, sold their customers down the river and figured nobody would
notice and detect their treachery.  Thus, they fail my 'don't do
business with crooks' test, all having gone skeevy and treacherous when
it really mattered.

More information about the conspire mailing list