Wednesday, November 30, 2005

Schneier on Security: A Science-Fiction Movie-Plot Threat:

This has got to be the most bizarre movie-plot threat to date: alien viruses downloaded via the SETI project:

In his [Richard Carrigan, a particle physicist at the US Fermi National Accelerator Laboratory in Illinois] report, entitled "Do potential Seti signals need to be decontaminated?", he suggests the Seti scientists may be too blase about finding a signal. "In science fiction, all the aliens are bad, but in the world of science, they are all good and simply want to get in touch." His main concern is that, intentionally or otherwise, an extra-terrestrial signal picked up by the Seti team could cause widespread damage to computers if released on to the internet without being checked.

Here's his website.

Although you have to admit, it could make a cool movie

(Via Schneier on Security.)

Schneier on Security: European Terrorism Law and Music Downloaders:

The European music industry is lobbying the European Parliament, demanding things that the RIAA can only dream about:

The music and film industries are demanding that the European parliament extends the scope of proposed anti-terror laws to help them prosecute illegal downloaders. In an open letter to MEPs, companies including Sony BMG, Disney and EMI have asked to be given access to communications data - records of phone calls, emails and internet surfing - in order to take legal action against pirates and filesharers. Current proposals restrict use of such information to cases of terrorism and organised crime.

Our society definitely needs a serious conversation about the fundamental freedoms we are sacrificing in a misguided attempt to keep us safe from terrorism. It feels both surreal and sickening to have to defend our fundamental freedoms against those who want to stop people from sharing music. How is it possible that we can contemplate so much damage to our society simply to protect the business model of a handful of companies?

(Via Schneier on Security.)

Schneier on Security: Vote Someone Else's Shares:

Do you own shares of a Janus mutual fund? Can you vote your shares through a website called vote.proxy-direct.com? If so, you can vote the shares of others.

If you have a valid proxy number, you can add 1300 to the number to get another valid proxy number. Once entered, you get another person's name, address, and account number at Janus! You could then vote their shares too.

It's easy.

Probably illegal.

Definitely a great resource for identity thieves.

Certainly pathetic.

(Via Schneier on Security.)

Tuesday, November 22, 2005

Schneier on Security: Surveillance and Oversight:

Christmas 2003, Las Vegas. Intelligence hinted at a terrorist attack on New Year's Eve. In the absence of any real evidence, the FBI tried to compile a real-time database of everyone who was visiting the city. It collected customer data from airlines, hotels, casinos, rental car companies, even storage locker rental companies. All this information went into a massive database -- probably close to a million people overall -- that the FBI's computers analyzed, looking for links to known terrorists. Of course, no terrorist attack occurred and no plot was discovered: The intelligence was wrong.

A typical American citizen spending the holidays in Vegas might be surprised to learn that the FBI collected his personal data, but this kind of thing is increasingly common. Since 9/11, the FBI has been collecting all sorts of personal information on ordinary Americans, and it shows no signs of letting up.

The FBI has two basic tools for gathering information on large groups of Americans. Both were created in the 1970s to gather information solely on foreign terrorists and spies. Both were greatly expanded by the USA Patriot Act and other laws, and are now routinely used against ordinary, law-abiding Americans who have no connection to terrorism. Together, they represent an enormous increase in police power in the United States.

The first are FISA warrants (sometimes called Section 215 warrants, after the section of the Patriot Act that expanded their scope). These are issued in secret, by a secret court. The second are national security letters, less well known but much more powerful, and which FBI field supervisors can issue all by themselves. The exact numbers are secret, but a recent Washington Post article estimated that 30,000 letters each year demand telephone records, banking data, customer data, library records, and so on.

In both cases, the recipients of these orders are prohibited by law from disclosing the fact that they received them. And two years ago, Attorney General John Ashcroft rescinded a 1995 guideline that this information be destroyed if it is not relevant to whatever investigation it was collected for. Now, it can be saved indefinitely, and disseminated freely.

September 2005, Rotterdam. The police had already identified some of the 250 suspects in a soccer riot from the previous April, but most were unidentified but captured on video. In an effort to help, they sent text messages to 17,000 phones known to be in the vicinity of the riots, asking that anyone with information contact the police. The result was more evidence, and more arrests.

The differences between the Rotterdam and Las Vegas incidents are instructive. The Rotterdam police needed specific data for a specific purpose. Its members worked with federal justice officials to ensure that they complied with the country's strict privacy laws. They obtained the phone numbers without any names attached, and deleted them immediately after sending the single text message. And their actions were public, widely reported in the press.

On the other hand, the FBI has no judicial oversight. With only a vague hinting that a Las Vegas attack might occur, the bureau vacuumed up an enormous amount of information. First its members tried asking for the data; then they turned to national security letters and, in some cases, subpoenas. There was no requirement to delete the data, and there is every reason to believe that the FBI still has it all. And the bureau worked in secret; the only reason we know this happened is that the operation leaked.

These differences illustrate four principles that should guide our use of personal information by the police. The first is oversight: In order to obtain personal information, the police should be required to show probable cause, and convince a judge to issue a warrant for the specific information needed. Second, minimization: The police should only get the specific information they need, and not any more. Nor should they be allowed to collect large blocks of information in order to go on "fishing expeditions," looking for suspicious behavior. The third is transparency: The public should know, if not immediately then eventually, what information the police are getting and how it is being used. And fourth, destruction. Any data the police obtains should be destroyed immediately after its court-authorized purpose is achieved. The police should not be able to hold on to it, just in case it might become useful at some future date.

This isn't about our ability to combat terrorism; it's about police power. Traditional law already gives police enormous power to peer into the personal lives of people, to use new crime-fighting technologies, and to correlate that information. But unfettered police power quickly resembles a police state, and checks on that power make us all safer.

As more of our lives become digital, we leave an ever-widening audit trail in our wake. This information has enormous social value -- not just for national security and law enforcement, but for purposes as mundane as using cell-phone data to track road congestion, and as important as using medical data to track the spread of diseases. Our challenge is to make this information available when and where it needs to be, but also to protect the principles of privacy and liberty our country is built on.

This essay originally appeared in the Minneapolis Star-Tribune.

(Via Schneier on Security.)

EFF: Breaking News: EFF Files Class Action Lawsuit Against Sony BMG:

Company Should Repair Damage to Customers Caused by CD Software

The Electronic Frontier Foundation (EFF), along with two leading national class action law firms, today filed a lawsuit against Sony BMG, demanding that the company repair the damage done by the First4Internet XCP and SunnComm MediaMax software it included on over 24 million music CDs.

EFF is pleased that Sony BMG has taken steps in acknowledging the security risks caused by the XCP CDs, including a recall of the infected discs. However, these measures still fall short of what the company needs to do to fix the problems caused to customers by XCP, and Sony BMG has failed entirely to respond to concerns about MediaMax, which affects over 20 million CDs -- ten times the number of CDs as the XCP software.

"Sony BMG is to be commended for its acknowledgment of the serious security problems caused by its XCP software, but it needs to go further to regain the public's trust," said Corynne McSherry, EFF Staff Attorney. "It is unconscionable for Sony BMG to refuse to respond to the privacy and other problems created by the over 20 million CDs containing the SunnComm software."

The suit, to be filed in Los Angeles County Superior court, alleges that the XCP and SunnComm technologies have been installed on the computers of millions of unsuspecting music customers when they used their CDs on machines running the Windows operating system. Researchers have shown that the XCP technology was designed to have many of the qualities of a "rootkit." It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, it degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers. The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer's hard drive as the only solution. When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users' machines. Sony BMG has still refused to use its marketing prowess to widely publicize its recall program to reach the over 2 million XCP-infected customers, has failed to compensate users whose computers were affected and has not eliminated the outrageous terms found in its End User Licensing Agreement (EULA).

The MediaMax software installed on over 20 million CDs has different, but similarly troubling problems. It installs files on the users' computers even if they click "no" on the EULA, and it does not include a way to fully uninstall the program. The software transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits -- even though the EULA states that the software will not be used to collect personal information and SunnComm's website says "no information is ever collected about you or your computer." If users repeatedly requested an uninstaller for the MediaMax software, they were eventually provided one, but they first had to provide more personally identifying information. Worse, security researchers recently determined that SunnComm's uninstaller creates significant security risks for users, as the XCP uninstaller did.

"Music fans shouldn't have to install potentially dangerous, privacy intrusive software on their computers just to listen to the music they've legitimately purchased," said EFF Legal Director Cindy Cohn. "Regular CDs have a proven track record -- no one has been exposed to viruses or spyware by playing a regular audio CD on a computer. Why should legitimate customers be guinea pigs for Sony BMG's experiments?"

"Consumers have a right to listen to the music they have purchased in private, without record companies spying on their listening habits with surreptitiously-installed programs," added EFF Staff Attorney Kurt Opsahl, "Between the privacy invasions and computer security issues inherent in these technologies, companies should consider whether the damage done to consumer trust and their own public image is worth its scant protection."

Both the XCP and MediaMax CDs include outrageous, anti-consumer terms in their "clickwrap" EULAs. For example, if purchasers declare personal bankruptcy, the EULA requires them to delete any digital copies on their computers or portable music players. The same is true if a customer's house gets burglarized and his CDs stolen, since the EULA allows purchasers to keep copies only so long as they retain physical possession of the original CD. EFF is demanding that Sony BMG remove these unconscionable terms from its EULAs.

The law firms of Green Welling, LLP, and Lerach, Coughlin, Stoia, Geller, Rudman and Robbins, LLP, joined EFF in the case. Sony BMG is also facing at least six other class action lawsuits nationwide and an action by the Texas Attorney General. EFF looks forward to representing the voice of digital music fans in the resolution of these disputes between Sony BMG and consumers.

For more on the Sony BMG litigation, see:
http://www.eff.org/IP/DRM/Sony-BMG/

EFF's open letter to Sony:
http://www.eff.org/IP/DRM/Sony-BMG/?f=open-letter-2005-11-14.html

(Via EFF: Breaking News.)

Tuesday, November 15, 2005

Schneier on Security: Still More on Sony's DRM Rootkit:

This story is just getting weirder and weirder (previous posts here and here).

Sony already said that they're stopping production of CDs with the embedded rootkit. Now they're saying that they will pull the infected disks from stores and offer free exchanges to people who have inadvertently bought them.

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

That's good news, but there's more bad news. The patch Sony is distributing to remove the rootkit opens a huge security hole:

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

Even more interesting is that there may be at least half a million infected computers:

Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, [security researcher Dan] Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher.

I say "may be at least" because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business. Their methodology seems sound, though:

Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP.

His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it.

Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- connected.sonymusic.com, updates.xcp-aurora.com and license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently.

If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it.

The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net.

In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media.

(Via Schneier on Security.)

Schneier on Security: The Security of Tin Foil Hats:

Really:

Abstract: Among a fringe community of paranoids, aluminum helmets serve as the protective measure of choice against invasive radio signals. We investigate the efficacy of three aluminum helmet designs on a sample group of four individuals. Using a $250,000 network analyser, we find that although on average all helmets attenuate invasive radio frequencies in either directions (either emanating from an outside source, or emanating from the cranium of the subject), certain frequencies are in fact greatly amplified. These amplified frequencies coincide with radio bands reserved for government use according to the Federal Communication Commission (FCC). Statistical evidence suggests the use of helmets may in fact enhance the government's invasive abilities. We theorize that the government may in fact have started the helmet craze for this reason.

And a rebuttal:

A recent MIT study [1] calls into question the effectiveness of Aluminum Foil Deflector Beanies. However, there are serious flaws in this study, not the least of which is a complete mischaracterization of the process of psychotronic mind control. I theorize that the study is, in fact, NWO propaganda designed to spread FUD against deflector beanie technology, and aluminum shielding in general, in order to disembeanie paranoids, leaving them open to mind control.

(Via Schneier on Security.)

Schneier on Security: More on Sony's DRM Rootkit:

Here's the story, edited to add lots of news.

There will be lawsuits. (Here's the first.) Police are getting involved. There's a Trojan that uses Sony's rootkit to hide. And today Sony temporarily halted production of CDs protected with this technology.

Sony really overreached this time. I hope they get slapped down hard for it.

EDITED TO ADD (13 Nov): More information on uninstalling the rootkit. And Microsoft will update its security tools to detect and remove the rootkit. That makes a lot of sense. If Windows crashes because of this -- and others of this ilk -- Microsoft will be blamed.

(Via Schneier on Security.)

Wednesday, November 09, 2005

Mark's Sysinternals Blog: Sony: You don’t reeeeaaaally want to uninstall, do you?:

A few days after I posted my first blog entry on Sony’s rootkit, Sony and Rootkits: Digital Rights Management Gone Too Far, Sony announced to the press that it was making available a decloaking patch and uninstall capability through its support site. Note that I said press and not customer. The uninstall process Sony has put in place is on par with mainstream spyware and adware and is the topic of this blog post.

As I’ve stated several times already, Sony’s rootkit hides the Digital Rights Management (DRM) files from users that have it installed, so users not monitoring the developments in this story are unaware of the scope and intrusiveness of the DRM. The End User License Agreement (EULA) does not provide any details on the software or its cloaking. Further, the software installation does not include support information and lacks a registration option, making it impossible for users to contact Sony and Sony to contact its users.

What if a user somehow discovers the hidden files, makes the connection between files and the Sony CD that installed them, and visits Sony BMG’s site in search of uninstall or support information? Or what about the unsuspecting Sony DRM user that happens to visit the Sony BMG site to look at their other offerings? Will these customers learn about the patch and uninstaller?

See for yourself. Visit www.sonybmg.com and search for the support site Sony has made available to the press. There’s no information on this story anywhere on the front page, no support link, and the FAQ only contains information about Sony’s merger with BMG. The fact that Sony’s announcement was directed at the press and that they’ve made no effort to make contact with their customers makes the patch and uninstall look solely like a public relations gesture for the media.

Sony even gives those users like me that are aware of the “uninstaller” several hurdles to jump over. First you have to go to Sony’s support site, guess that the uninstall information is in the FAQ, click on the uninstall link and then fill out a form with your email address and purchasing information, possibly adding yourself to Sony’s marketing lists in the process.

Then, after you submit the information the site takes you to a page that notifies you that you’ll be receiving an email with a “Case ID”. A few minutes later you receive that email, which directs you to install the patch and then visit another page if you still really want to uninstall. That page requires you to install an ActiveX control, CodeSupport.Ocx, that’s signed by First 4 Internet, enter your case ID and fill in the reason for your request. Then you receive an email within a few minutes that informs you that a customer service representative will email you uninstall instructions within one business day.

When you eventually receive the uninstall email from Sony BMG support it comes with a cryptic link in the form http://www.xcp-aurora.com/support/sonybmg/process.aspx?opt=1&id=XYAUfasSFoSdasfDoFPPEWFFEoibnaZPQlSfFgKGSGGIAAAAAAAAAAA (I’ve modified the link so it doesn’t work) to your personalized uninstall page. Interestingly, the email address has a confidentially notice, which implies to me that Sony has something to hide, and it informs you that the uninstaller will expire in one week.

If you visit the uninstall page from the computer where you filled out the first uninstall form then the DRM software is deleted from your system. However, if you visit it from another computer the page requires you install the same CodeSupport ActiveX control as the uninstall-request page, but then even if the computer has the DRM software installed you get this error:



Besides the obvious question of why there’s not a universal uninstall link, the error also begs the question of how the Sony site knows that the uninstall link is for a different computer? For that matter, why do you have to install an ActiveX control just to fill out a web form and why does that form have to be filled out “using the computer where the software is currently installed”? The email, web page and ActiveX control offer no hints.

I of course decided to investigate. A network trace of the ActiveX control’s communication with the Sony site using Ethereal reveals that the control sends Sony an encrypted block of data:



A Regmon trace of the ActiveX control’s activity when you press the submit button on the Web page reveals that the encrypted data is actually a signature that the control derives from the hardware configuration of your computer:



The uninstall link Sony sends you has your case ID encrypted in the address and when you visit the uninstall page the ActiveX control sends the hardware signature to Sony’s site. If the signature doesn’t match the one it stored earlier with your Case ID when you made the second uninstall request the site informs you that there’s a case ID mismatch.

While I’ve answered the question of how the uninstaller knows if the uninstall link is for your computer, I can’t definitively answer questions like:

  1. Why isn’t Sony publicizing the uninstall link on their site in any way?
  2. Why do you have to tell Sony twice that you want to uninstall?
  3. Why is the email with the uninstall link labeled confidential?
  4. Why does Sony generate a unique uninstall link for each computer?
Sony has left us to speculate, but under the circumstances the answer to all these questions seems obvious: Sony doesn’t want customers to know that there’s DRM software installed on their computers and doesn’t want them to uninstall it if they somehow discover it. Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.

For those readers that are coming up to speed with the story, here’s a summary of important developments so far:

The DRM software Sony has been shipping on many CDs since April is cloaked with rootkit technology:
  • Sony denies that the rootkit poses a security or reliability threat despite the obvious risks of both
  • Sony claims that users don’t care about rootkits because they don’t know what a rootkit is
  • The installation provides no way to safely uninstall the software
  • Without obtaining consent from the user Sony’s player informs Sony every time it plays a “protected” CD
Sony has told the press that they’ve made a decloaking patch and uninstaller available to customers, however this still leaves the following problems:

  • There is no way for customers to find the patch from Sony BMG’s main web page
  • The patch decloaks in an unsafe manner that can crash Windows, despite my warning to the First 4 Internet developers
  • Access to the uninstaller is gated by two forms and an ActiveX control
  • The uninstaller is locked to a single computer, preventing deployment in a corporation
Consumers and antivirus companies are responding:

  • F-Secure independently identified the rootkit and provides information on its site
  • Computer Associates has labeled the Sony software “spyware”
  • A lawfirm has filed a class action lawsuit on behalf of California consumers against Sony
  • ALCEI-EFI, an Italian digital-rights advocacy group, has formally asked the Italian government to investigate Sony for possible Italian law violations

(Via Mark's Sysinternals Blog.)

Tuesday, November 08, 2005

Mark's Sysinternals Blog: Sony’s Rootkit: First 4 Internet Responds:

First 4 Internet, the company that implements Sony’s Digital Rights Management (DRM) software that includes a rootkit, has responded to my last post, More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home. They rebut four of the points I raise in the post. Their first statement relates to my assertion that Sony’s player contacts Sony’s web site each time it runs and sends the site an ID associated with the CD the user is playing:

The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities.

I speculated that the player sends Sony’s web site a CD identifier as part of a check to see if new song lyrics or artwork was available, which they essentially confirm. Their claim that the communication is “one way” from Sony’s web site is false, however, since Sony can make a record of each time their player is used to play a CD, which CD is played, and what computer is playing the CD. If they’ve configured standard Web server logging then they are doing that. As I stated earlier, I doubt Sony is using this information to track user behavior, but the information allows them to do so. In any case, First 4 Internet cannot claim what Sony is or is not doing with the information since they do not control those servers, and the First 4 Internet response fails to address the fact that the End User License Agreement (EULA) and Sony executives either make no mention of the “phone home” behavior or explicitly deny it.

Another point that I made in the post is that the decloaking patch that Sony has made available weighs in at a relatively large 3.5 MB because it not only removes the rootkit, it also replaces most of the DRM files with updated versions. First 4 Internet responded with this:

In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point.

It’s not clear to me what they mean by “a secure installation”, but like most of the disclosure in this story, they’ve acknowledged the updating nature of the patch only after someone else has disclosed it first. What’s also lost in their response is that Sony DRM users not following this story as it develops have no way of knowing that there’s a patch available or that they even have software installed that requires a patch.

Further, Sony’s patch is dangerous because the way that it removes the cloak could crash Windows. I discussed the flaw in the patch’s decloaking method in the first post and again in the last one (I also provide a simple way for users to remove the cloak safely), yet First 4 Internet refuses to recognize it. They contest my claim in their comment:

This is pure conjecture. F4I is using standard Windows commands (net stop) to stop their driver. Nothing more.

While the probability of a crash is relatively small, its not “pure conjecture”, but fundamental to multithreaded programming concepts. Anyone that writes Windows device driver code must have a firm grasp of these concepts or they can easily introduce bugs and security holes into Windows. Here’s one of many scenarios that will lead to a crash when the patch decloaks Sony’s rootkit:

  1. Thread A invokes one of the functions that Aries.sys, the Sony rootkit driver developed by First 4 Internet, has redirected
  2. Thread A reads the address of the redirected function from the system service table, which points at the rootkit function in Aries.sys
  3. Thread A executes the first few instructions of the Aries.sys function, which is enough to enter the driver, but not enough to execute the Aries.sys code that attempts to track threads running within it
  4. Thread A is context swapped off the CPU by the Windows scheduler
  5. The scheduler gives thread B the CPU, which executes the patch’s “unload driver” command, unloading the Aries.sys driver from memory
  6. The scheduler runs thread A again, which executes memory that previously held the contents of Aries.sys, but is now invalid or holds other code or data
  7. Windows detects thread A’s illegal execution and crashes the system with a blue screen
First 4 Internet’s failure to imagine this control flow is consistent with their general failure to understand Windows device driver programming.

As further evidence of this, I’ve performed further testing of the Aries.sys driver using a program I wrote, NTCrash2, and found that Aries.sys fails to perform basic checks on the data passed to it by applications. NTCrash2 passes randomly-generated invalid data to Windows APIs and on a stock Windows system simply receives error codes from the APIs. However, when NTCrash2 runs on a system that has the Sony rootkit installed Windows crashes. Here’s an example Windows blue screen that identifies Aries.sys as the cause of a crash that occurred while NTCrash2 ran:



Besides demonstrating the ineptitude of the First 4 Internet programmers, this flaw highlights my message that rootkits create reliability risks in addition to security risks. Because the software package that installed the rootkit is hidden when Windows is running (in this case Sony’s DRM software), and even if exposed not clearly identified, if an application triggers one of Aries.sys’s bugs a user would have no way of associating the driver responsible for the resulting crash with any software package they have installed on their system. The user would therefore be unable to conclusively diagnose the cause of the crash, check to see if they have the most recent version of the driver or of uninstalling the driver.

First 4 Internet and Sony also continue to argue that the rootkit poses no security vulnerability, repeating it in the description of the patch download. Any software that hides files, processes, and registry keys based on a prefix of letters can clearly be used by malicious software.

First 4 Internet’s final rebuttal relates to my complaint that as part of a request to uninstall their DRM software Sony requires you to submit your email address to their marketing lists. First 4 Internet says:

An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.

The Sony privacy policy the comment refers to clearly states that Sony may add a user’s email address to their marketing lists:

Except on sites devoted to particular recording artists, we may share the information we collect from you with our affiliates or send you e-mail promotions and special offers from reputable third parties in whose products and services we think you may have an interest. We may also share your information with reputable third-parties who may contact you directly.

Again, the fact is that most users of Sony’s DRM won’t realize that they even have software that can be uninstalled. Also, the comment does not explain why Sony won’t simply make the uninstaller available as a freely accessible download like they do the patch, nor why users have to submit two requests for the uninstaller and then wait for further instructions to be emailed (I still have not received the uninstaller). The only motivation I can see for this is that Sony hopes you’ll give up somewhere in the process and leave their DRM software on your system. I’ve seen similar strategies used by adware programs that make it difficult, but not impossible, for you to remove them.

Instead of admitting fault for installing a rootkit and installing it without proper disclosure, both Sony and First 4 Internet claim innocence. By not coming clean they are making clear to any potential customers that they are a not only technically incompetent, but also dishonest.

(Via Mark's Sysinternals Blog.)

Schneier on Security: The FBI is Spying on Us:

From TalkLeft:

The Washington Post reports that the FBI has been obtaining and reviewing records of ordinary Americans in the name of the war on terror through the use of national security letters that gag the recipients.

Merritt's entire post is worth reading.

The closing:

The ACLU has been actively litigating the legality of the National Security Letters. Their latest press release is here.

Also, the ACLU is less critical than I am of activity taking place in Congress now where conferees of the Senate and House are working out a compromise version of Patriot Act extension legislation that will resolve differences in versions passed by each in the last Congress. The ACLU reports that the Senate version contains some modest improvements respecting your privacy rights while the House version contains further intrusions. There is still time to contact the conferees. The ACLU provides more information and a sample letter here.

History shows that once new power is granted to the government, it rarely gives it back. Even if you wouldn't recognize a terrorist if he were standing in front of you, let alone consort with one, now is the time to raise your voice.

EDITED TO ADD: Here's a good personal story of someone's FBI file.

(Via Schneier on Security.)

Friday, November 04, 2005

Perl.com: Making Sense of Subroutines:

tile imageSubroutines are the building blocks of programs. Yet, too many programmers use them ineffectively, whether not making enough of them, naming them poorly, combining too many concepts into one, or any of a dozen other problems. Used properly, they can make your programs shorter, faster, and more maintainable. Rob Kinyon shows the benefits and advanced uses that come from revisiting the basics of subroutines in Perl.

(Via Perl.com.)

Robert Spier: Producing Open Source Software:

I've only read the table of contents and skimmed a few chapters, but Karl Fogel (of CVS and Subversion fame) has written a "must read" book.

Producing Open Source Software - How to Run a Successful Free Software Project (read online, Buy buy from Amazon, buy from O'Reilly) is an overview of most aspects of the open source world. He covers everything from Version Control Systems to Hired Guns to Releases and Version Numbering. Karl's been doing open source for years, and has some great anecdotes to share, and he does it in a friendly and explanatory manner.

Even if you've been doing open source for years, you'll get something out of the book, even if it's just reassurance that you're not the only one who thinks that way.

Karl has been one of the driving forces behind the Subversion project. I'm consistently impressed with how Subversion is run. Decisions are well thought out, things are planned, flamewars are rare, discussions are civil. You too can have a happy project.

(Via Planet Perl.)

Schneier on Security: Oracle's Password Hashing:

Here's a paper on Oracle's password hashing algorithm. It isn't very good.

In this paper the authors examine the mechanism used in Oracle databases for protecting users' passwords. We review the algorithm used for generating password hashes, and show that the current mechanism presents a number of weaknesses, making it straightforward for an attacker with limited resources to recover a user's plaintext password from the hashed value. We also describe how to implement a password recovery tool using off-the-shelf software. We conclude by discussing some possible attack vectors and recommendations to mitigate this risk.

(Via Schneier on Security.)

Thursday, November 03, 2005

EFF: Breaking News: File-Sharing Lawsuits Fail to Deter P2P Downloaders:

RIAA v. The People: Two Years Later

Chicago - It's been two years since the Recording Industry Association of America (RIAA) started suing music fans who share songs online. Thousands of Americans have been hit by lawsuits, but both peer-to-peer (P2P) file sharing and the litigation continue unabated.

In a report released Thursday, "RIAA v. The People: Two Years Later," the Electronic Frontier Foundation (EFF) argues that the lawsuits are singling out only a select few fans for retribution, and many of them can't afford either to settle the case or defend themselves. EFF's report cites the case of a single mother in Minnesota who faces $500,000 in penalties for her daughter's alleged downloading, as well as the case of a disabled veteran who was targeted for downloading songs she already owned.

"Out of the millions of people who download music from P2P systems every day, the RIAA arbitrarily picks a few hundred to sue every month," said EFF Senior Staff Attorney Fred von Lohmann. "Many of those families suffer severe financial hardship. But despite all the publicity, studies show that P2P usage is increasing instead of decreasing."

"RIAA v. The People" was released in conjunction with the first annual P2P Litigation Summit in Chicago on Thursday, which brings together defense attorneys, clients, advocates, and academics to discuss the latest developments in the lawsuits.

Three other reports released Thursday were aimed at helping lawyers representing music fans sued by the RIAA. "Typical Claims and Counter Claims in Peer to Peer Litigation" is a general discussion of the lawsuits, while "Parental Liability for Copyright Infringement by Minor Children" and "Copyright Judgments in Personal Bankruptcy" both tackle important issues arising in defending families from devastating judgments.

"After two years of lawsuits, there's only one conclusion to draw," said von Lohmann. "Suing music fans is no answer to the P2P dilemma."

For "RIAA v. The People: Two Years Later":
http://www.eff.org/IP/P2P/RIAAatTWO_FINAL.pdf

For "Typical Claims and Counter Claims in Peer to Peer Litigation:
http://www.eff.org/IP/P2P/RIAA_v_ThePeople/P2P_witkin.pdf

For "Parental Liability for Copyright Infringement":
http://www.eff.org/IP/P2P/Parent_Liability_Nov_2005.pdf

For "Copyright Judgments in Personal Bankruptcy":
http://www.eff.org/IP/P2P/RIAA_v_ThePeople/P2P_bktcy_memo.pdf

For more on the P2P Litigation Summit:
http://www.eff.org/IP/P2P/p2p_litigation_summit.php

Contacts:

Cindy Cohn
Legal Director
Electronic Frontier Foundation
cindy@eff.org

Fred von Lohmann
Senior Intellectual Property Attorney
Electronic Frontier Foundation
fred@eff.org

(Via EFF: Breaking News.)

Schneier on Security: The Security of RFID Passports:

My fifth column for Wired:

The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID is just one example of where, apparently, the State Department didn't have enough of the expertise it needed to do this right.

Of course it can fix the problem, but the real issue is how many other problems like this are lurking in the details of its design? We don't know, and I doubt the State Department knows either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny.

The State Department's plan to issue RFID passports by October 2006 is both precipitous and risky. It made a mistake designing this behind closed doors. There needs to be some pretty serious quality assurance and testing before deploying this system, and this includes careful security evaluations by independent security experts. Right now the State Department has no intention of doing that; it's already committed to a scheme before knowing if it even works or if it protects privacy.

My previous entries on RFID passports are here, here, and here.

(Via Schneier on Security.)

Tuesday, November 01, 2005

Connect @ EDUCAUSE:Copyright being used in the Intelligent Design vs Evolution battle:

The National Research Council and the National Science Teachers Association have moved to prevent the Kansas State Department of Education from using their documents "National Science Education Standards" and "Pathways to Science Standards." This is a reminder, once again, that "educational use" is not and has never been an excuse for copyright infringement.

Different points of view on this may be found at /. and family.org.

(Via connect.educause.edu - Technology In Academia -- Connect @ EDUCAUSE.)

Schneier on Security: NIST Hash Workshop Liveblogging (4):

This morning we heard a variety of talks about hash function design. All are esoteric and interesting, and too subtle to summarize here. Hopefully the papers will be online soon; keep checking the conference website.

Lots of interesting ideas, but no real discussion about trade-offs. But it's the trade-offs that are important. It's easy to design a good hash function, given no performance constraints. But we need to trade off performance with security. When confronted with a clever idea, like Ron Rivest's dithering trick, we need to decide if this a good use of time. The question is not whether we should use dithering. The question is whether dithering is the best thing we can do with (I'm making these numbers up) a 20% performance degradation. Is dithering better than adding 20% more rounds? This is the kind of analysis we did when designing Twofish, and it's the correct analysis here as well.

Bart Preneel pointed out the obvious: if SHA-1 had double the number of rounds, this workshop wouldn't be happening. If MD5 had double the number of rounds, that hash function would still be secure. Maybe we've just been too optimistic about how strong hash functions are.

The other thing we need to be doing is providing answers to developers. It's not enough to express concern about SHA-256, or wonder how much better the attacks on SHA-1 will become. Developers need to know what hash function to use in their designs. They need an answer today. (SHA-256 is what I tell people.) They'll need an answer in a year. They'll need an answer in four years. Maybe the answers will be the same, and maybe they'll be different. But if we don't give them answers, they'll make something up. They won't wait for us.

And while it's true that we don't have any real theory of hash functions, and it's true that anything we choose will be based partly on faith, we have no choice but to choose.

And finally, I think we need to stimulate research more. Whether it's a competition or a series of conferences, we need new ideas for design and analysis. Designs beget analyses beget designs beget analyses.... We need a whole bunch of new hash functions to beat up; that's how we'll learn to design better ones.

(Via Schneier on Security.)

Schneier on Security: Sony Secretly Installs Rootkit on Computers:

Mark Russinovich discovered a rootkit on his system. After much analysis, he discovered that the rootkit was installed as a part of the DRM software linked with a CD he bought. The package cannot be uninstalled. Even worse, the package actively cloaks itself from process listings and the file system.

At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad.

Removing the rootkit kills Windows.

Could Sony have violated the the Computer Misuse Act in the UK? If this isn't clearly in the EULA, they have exceeded their privilege on the customer's system by installing a rootkit to hide their software.

Certainly Mark has a reasonable lawsuit against Sony in the U.S.

EDITED TO ADD: The Washington Post is covering this story.

Sony lies about their rootkit:

November 2, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.

Their update does not remove the rootkit, it just gets rid of the $sys$ cloaking.

Ed Felton has a great post on the issue:

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they're not just taking away the rootkit-like function -- they're almost certainly adding things to the system as well. And once again, they're not disclosing what they're doing.

No doubt they'll ask us to just trust them. I wouldn't. The companies still assert -- falsely -- that the original rootkit-like software "does not compromise security" and "[t]here should be no concern" about it. So I wouldn't put much faith in any claim that the new update is harmless. And the companies claim to have developed "new ways of cloaking files on a hard drive". So I wouldn't derive much comfort from carefully worded assertions that they have removed "the ... component .. that has been discussed".

And you can use the rootkit to avoid World of Warcraft spyware.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect.
.

EDITED TO ADD: F-Secure maks a good point:

A member of our IT security team pointed out quite chilling thought about what might happen if record companies continue adding rootkit based copy protection into their CDs.

In order to hide from the system a rootkit must interface with the OS on very low level and in those areas theres no room for error.

It is hard enough to program something on that level, without having to worry about any other programs trying to do something with same parts of the OS.

Thus if there would be two DRM rootkits on the same system trying to hook same APIs, the results would be highly unpredictable. Or actually, a system crash is quite predictable result in such situation.

(Via Schneier on Security.)