Schadenfreude And Sony

I feel bad for the Sony employees affected. This can’t be fun for them. But for Sony itself, a company I once respected as the leader in consumer electronics I have little sympathy and lots of schadenfreude.

Sony

Sony has been hacked. It’s pretty severe. Company and personal secrets have been spilled. Some data has probably been lost. Media files from finished, but unreleased, movies are now online. It’s a very big problem.

Hacking like this has happened before. In 2005 Bruce Schneier wrote about sneaky code on music CDs which

modifies Windows so you can’t tell it’s there, a process called “cloaking” in the hacker world. It acts as spyware, surreptitiously sending information about you… And it can’t be removed; trying to get rid of it damages Windows.

Nasty stuff. Which leads me to my favorite German word, “schadenfreude.”

Schadenfreude (/ˈʃɑːdənfrɔɪdə/; German: [ˈʃaːdn̩ˌfʀɔɪ̯də] ) is pleasure derived from the misfortunes of others. This word is taken from German and literally means ‘harm-joy.’ It is the feeling of joy or pleasure when one sees another fail or suffer misfortune. It is also borrowed by some other languages.Wikipedia

Why would I feel pleasure from Sony’s misfortune? It was Sony that installed malware on buyers of its CDs!

Back to Bruce Schneier:

It’s a tale of extreme hubris. Sony rolled out this incredibly invasive copy-protection scheme without ever publicly discussing its details, confident that its profits were worth modifying its customers’ computers. When its actions were first discovered, Sony offered a “fix” that didn’t remove the rootkit, just the cloaking.

Sony claimed the rootkit didn’t phone home when it did. On Nov. 4, Thomas Hesse, Sony BMG’s president of global digital business, demonstrated the company’s disdain for its customers when he said, “Most people don’t even know what a rootkit is, so why should they care about it?” in an NPR interview. Even Sony’s apology only admits that its rootkit “includes a feature that may make a user’s computer susceptible to a virus written specifically to target the software.”

However, imperious corporate behavior is not the real story either.

This drama is also about incompetence. Sony’s latest rootkit-removal tool actually leaves a gaping vulnerability. And Sony’s rootkit — designed to stop copyright infringement — itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library’s license agreement.

What goes around comes around!

I feel bad for the Sony employees affected. This can’t be fun for them. But for Sony itself, a company I once respected as the leader in consumer electronics I have little sympathy and lots of schadenfreude.

The NSA’s On The Wrong Side Of Heartbleed

Since this entry was published the NSA had denied any part in knowing the Heartbleed flaw existed. Their adherence to the truth has been less than exemplary in the past. Let’s let this play out. – Geoff

heartbleedYou’ve probably heard about the Heartbleed bug by now. It’s a flaw introduced to to SSL (Secure Sockets Layer); a mistake as code was updated.

Simply put, Internet data transmissions we thought were secure were not. Things like passwords, financial information, anything private was easily cracked.

The bug languished mostly unknown for years. That’s called security by obscurity. Never a good idea. We’re seeing that now.

As far as I can tell Heartbleed’s never been exploited for nefarious commercial purposes. It has that potential. However, it has been exploited by our government’s spies!

The NSA knew Heartbleed existed. They had a choice, tell the maintainers of the code to fix it or exploit it themselves and leave us vulnerable. They chose the latter.

Now, because the NSA felt their ability to soak up data trumped our collective security, Heartbleed is a big deal! Leaving this security hole open for years is reprehensible.

More and more it seems America’s intelligence agencies, beginning with the NSA, are out-of-control. They have lost sight of their actually mission–protecting us. Instead we are more vulnerable and our international partners know we can’t be trusted with their precious secrets.

This story was broken by Michael Riley at Bloomberg News.

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

It’s time we have a come to Jesus meeting with our spies. Is everyone in Washington that scared of them?

The Return Of Mr. Tech Support Guy

Without getting too bogged in detail (maybe I’m already past that point) after an hour I was able to install Microsoft Essentials Security which found more viruses than a daycare center during flu season!

“I need to speak to Greg.” The voice was Stef’s on the phone to Helaine. Greg is me. It’s an inside joke in the Fox family.

When daughters speak to mothers it’s because they want to talk. When daughters speak to fathers it’s because they want something.

You take what you get.

Stef was calling on behalf of her friend Christina. Everything on her computer screen was stretched. Could I help?

Could I help? Does Bill Gates have a bad haircut? Please!

A few minutes later we were on a conference call with Stef in California, Christina in New Jersey and me here in Connecticut. I had Christina download the TeamViewer.com software and within two minutes I was in. Thirty seconds later the problem was solved!

Wow, I’m good.

Actually I had an idea what the problem was before I went in. A simple reset of the screen resolution did the trick.

Christina now thinks of me as a god. Stef scores major friend points.

The second tech problem was a little more complex. One of my co-workers asked me to look at his Toshiba laptop. A few minutes after booting it consistently popped a Blue Screen of Death and shut itself down.

Microsoft is constantly improving its game by issuing patches and fixes. This computer had never had any installed–none! The clock was three hours slow because no one had ever reset it from the default Pacific time it ran when it was taken out of the box two years ago.

There were multiple signs of unsafe computing including myriad toolbars in the browser and at least four antivirus programs. I was pretty sure one of those was a virus itself!

In a situation like this stabilizing the patient comes first. I had to find a way to work on the PC without it shutting down.

Without getting too bogged in detail (maybe I’m already past that point) after an hour I was able to install Microsoft Essentials Security which found more viruses than a daycare center during flu season! Here’s a sample of one ‘optional’ program on board.

Win32/Alureon – a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks.

That’s seriously bad.

It’s been neutralized now. Some Trojans respawn themselves when found! I’ll have to recheck later. Scary.

I anticipate this computer will be close to purring by the time I go to sleep. At least 96 Windows updates (over 700 megabytes to download) will get installed followed by another virus scan, toolbar removal and a check of the DNS and Hosts settings.

If you’re saying this stuff is too complex for most users, you’re right. In order to allow PC owners to install the programs they want there are lots of open security holes. When the computer is neither maintained or update the threat is worse.

Alas, the average user is always the weakest link.