The issue of rootkits has been all over the news lately. What triggered this was the court-ordered settlement handed down that requires Sony BMG Music Entertainment to compensate consumers who purchased Sony audio CDs that installed a rootkit when they were played on a PC. The compensation amounts to US$7.50 and a free album download from Sony’s catalogue for each CD purchased.
Let’s see, at 15 million purchases that works out to a total fine of about $250 million . . . not bad. Certainly a lot more than a slap on the wrist, but is it fair?
I ask because had some teenager in the likes of Defiant, Idaho, released similar code on the world with such reckless abandon, he would be looking at a jail term and his parents would be looking at bankruptcy. The culprit and his parents would have been held personally responsible.
So why have no Sony BMG executives been held personally responsible for their reckless, ignorant decision to distribute malware with their CDs?
Remember Thomas Hesse, the president of global digital business for Sony BMG Music Entertainment? When the furor over the Sony rootkit was reaching a head, it was Hesse who, in an interview on National Public Radio’s “Morning Edition,” said: “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”
Anyway, it probably won’t come as a surprise to find out that what happened to Hesse, who as top dog in this area surely should carry the responsibility of major cock-ups, was nothing. Amazing.
Part of the problem is that rootkit is an inexact term. Generally, rootkit means software that is run at the system level such that it cannot be detected. There are all sorts of processes running on computers that are hard to detect for a variety of reasons, but not many are considered rootkits; they are called things such as drivers or services or libraries.
What we’re interested in is software with a hidden agenda. Whether it has a hidden and actionable agenda depends on three things: The intention of the code, whether the code creator alerts the user as to the code’s deployment, and — this is the big one — whether the operating system can be defended against unauthorized modifications and audited to detect them should modifications occur.
Obviously code intended to do anything the user would not approve or not be aware of is unacceptable whether or not its creator actually tells the user.
The big problem is to what extent the operating system provides a defense against modifications. While there are tools such as Faronics Deepfreeze that can wipe out unauthorized system changes, this isn’t the same as detecting intrusions in real time. And while there are a few products that attempt to guard Windows systems against intrusions, unless that defense is done at a system level then it is not going to be effective.
So the issue with rootkits is not rootkits at all. It is the intentions of other people and their code, and whether we can hold those people personally responsible. If they work for large corporations, apparently we can’t.