IDG News Service - A U.S. Department of Homeland Security official warned today that if software distributors continue to sell products with dangerous rootkit software, as Sony BMG Music Entertainment recently did, legislation or regulation could follow.
"We need to think about how that situation could have been avoided in the first place," said Jonathan Frenkel, director of law enforcement policy for the DHS's Border and Transportation Security Directorate, speaking at the RSA Conference 2006 in San Jose. "Legislation or regulation may not be appropriate in all cases, but it may be warranted in some circumstances."
Last year, Sony began distributing XCP (Extended Copy Protection) software in some of its products. The digital rights management software, which used rootkit cloaking techniques normally employed by hackers, was later found to be a security risk, and Sony was forced to recall millions of its CDs.
The incident quickly turned into a public relations disaster for Sony. It also attracted the attention of DHS officials, who met with Sony a few weeks after news of the rootkit was first published, Frenkel said. "The message was certainly delivered in forceful terms that this was certainly not a useful thing," he said.
While Sony's software was distributed without malicious intent, the DHS is worried that a similar situation could occur again, this time with more-serious consequences. "It's a potential vulnerability that's of strong concern to the department," Frenkel said.
Though the DHS has no ability to implement the kind of regulation that Frenkel mentioned, the organization is attempting to increase industry awareness of the rootkit problem, he said. "All we can do is, in essence, talk to them and embarrass them a little bit," Frenkel said.
In fact, this is not the first time the department has expressed concerns over the security of copy protection software. In November, the DHS's assistant secretary for policy, Stewart Baker, warned copyright holders to be careful of how they protect their music and DVDs. "In the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days," Baker said, according to a video posted to The Washington Post Web site.
Despite the Sony experience, the entertainment industry's use of rootkits appears to be an ongoing problem. Earlier this week, security vendor F-Secure Corp. reported that it had discovered rootkit technology in the copy protection system of the German DVD release of the American movie Mr. and Mrs. Smith. The DVD is distributed in Germany by Kinowelt GmbH, according to the Internet Movie Database.
Baker stopped short of mentioningSony by name, but Frenkel did not. "The recent Sony experience shows us that we need to be thinking about how to ensure that consumers aren't surprised by what their software is programmed to do," he said.
Sony BMG officials could not immediately be reached for comment.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
