, SecurityFocus 2005-11-16
Story continued from Page 1
"I am concerned that some attempts to protect content may overstep reasonable boundaries and limit consumers legal options, particularly in the light of the emerging technologies that we are beginning to see in the marketplace," Republican Rep. Joe Barton of Texas, chairman of the House Committee on Energy and Commerce, said in a published opening statement.
"It boils down to this: I believe that when I buy a music album or movie, it should be mine once I leave the store," Barton said. "Who doesnt believe that? Does it mean I have unlimited rights? Of course not. But the law should not restrict my fair-use right to use my own property."
Yet, the response to Sony BMG's copy protections is less about the system being too restrictive and more about the technology's affect on consumer's systems. Many security experts--including antivirus firms F-Secure and Symantec (the parent company of SecurityFocus) and software giant Microsoft--have labeled at least a portion of the XCP software to be malicious code. Antivirus firms now detect the presence of the software and a few offer tools that can remove some part or all of the functionality of the system.
The reaction by the security community shows that media companies cannot assume that they have the right to install whatever software they wish on a consumer's computer, said Ari Schwartz, associate director for the Center for Democracy and Technology, a Washington, D.C.-based technology-policy think tank.
"This incident does show companies that they can't just ignore consumer expectations and do what they want to do, no matter how justifiable it might be under the law," Schwartz said.
The impact on corporate networks of the Sony BMG software may be severe, if recent data discovered by security researcher Dan Kaminsky holds up.
Kaminsky worked from a list of 9 million domain-name servers, about 3 million of which are reachable by computers outside their networks. The security researcher sent DNS requests to the 3 million systems, asking each to look up whether certain addresses used by the XCP software were in the systems' caches. He found 568,000 DNS servers had previously been asked to look up the same domains as used by the XCP software. Another 350,000 servers had to be thrown out from the data set because they did not obey commands to only look in their cache, and instead asked for information from other servers on the Internet.
While other factors may increase or decrease the number, Kaminsky stressed that the experiment was about finding out the magnitude of the impact of Sony BMG's software.
"My goal is not to get absolute accuracy, but to get orders of magnitude," Kaminsky said. "As security professionals, we have different levels of response for hundreds of host versus hundreds of thousands of hosts. Without a shadow of a doubt, this is a world-class pandemic."