Sony Settles

I’m proud to announce that a major step forward in the legal phase of Sony’s rootkit: Scott Kamber and Sony have filed a proposed settlement for the national class-action suit brought by Scott. While I didn’t participate directly in the negotiations, I’m serving as an expert for Scott and provided input on the terms, which…


Circumventing Group Policy as a Limited User

Active Directory Group Policy settings are widely used to secure Windows systems because they can be customized to target and deploy to specific computers and users in an Active Directory-based network. In a previous blog post I warned that one of the risks of having end-users with local administrative privilege is that they can override…


Premature Victory Declaration?

Two weeks ago I declared victory in what the media is now referring to as the “Sony rootkit debacle”, but now I’m wondering if I jumped the gun. It turns out that the CDs containing the XCP rootkit technology are still widely available, there’s still no sign of an uninstaller, and comments made recently by…


Victory!

I’m proud to announce a significant victory in the ongoing Sony Digital Rights Management (DRM) saga; Sony has capitulated almost entirely. While not publicly admitting blame for distributing a rootkit, providing no uninstall for the DRM software, implementing a music player that sends information to Sony’s site, and supplying a remotely-exploitable ActiveX control for the…


Sony: No More Rootkit – For Now

There have been several significant developments in the Sony DRM story since my last post. The first is that, despite Sony’s and First 4 Internet’s claims that their rootkit poses no security risk, several viruses have been identified in the wild that exploit the cloaking functionality provided by the rootkit. Besides F-Secure and Computer Associates,…


Sony: You don’t reeeeaaaally want to uninstall, do you?

A few days after I posted my first blog entry on Sony’s rootkit, Sony and Rootkits: Digital Rights Management Gone Too Far, Sony announced to the press that it was making available a decloaking patch and uninstall capability through its support site. Note that I said press and not customer. The uninstall process Sony has…


Sony’s Rootkit: First 4 Internet Responds

First 4 Internet, the company that implements Sony’s Digital Rights Management (DRM) software that includes a rootkit, has responded to my last post, More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home. They rebut four of the points I raise in the post. Their first statement relates to my assertion that Sony’s player contacts…


More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

My posting Monday on Sony’s use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that’s reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world including USA Today and the BBC. This is the case of the blogosphere…


Sony, Rootkits and Digital Rights Management Gone Too Far

Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware…


The Bypass Traverse Checking (or is it the Change Notify?) Privilege

Privileges are special security powers that you assign to accounts in Local Policies->User Rights Assignment node of the Local Security Policy editor, secpol.msc. When a user logs in, the Local Security Authority Subsystem process – Lsass.exe – creates a kernel-mode data structure called a token that contains the list of groups the user belongs to…