Of rootkits and personal responsibility

Let's see, at 15 million purchases that works out to a total fine of about $250 million . . . not bad. Certainly a lot more than a slap on the wrist, but is it fair?

I ask because had some teenager in the likes of Defiant, Idaho, released similar code on the world with such reckless abandon, he would be looking at a jail term and his parents would be looking at bankruptcy. The culprit and his parents would have been held personally responsible.

So why have no Sony BMG executives been held personally responsible for their reckless, ignorant decision to distribute malware with their CDs?

Remember Thomas Hesse, the president of global digital business for Sony BMG Music Entertainment? When the furor over the Sony rootkit was reaching a head, it was Hesse who, in an interview on National Public Radio's "Morning Edition," said: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

Anyway, it probably won't come as a surprise to find out that what happened to Hesse, who as top dog in this area surely should carry the responsibility of major cock-ups, was nothing. I checked with his office, and he's still there and still the president of global digital business. Amazing.

The Network World story continued: "But the broader rootkit debate seems far from over." Various people are jumping into the fray, with some saying rootkits are a practical and defensible technique, while others decry them as the spawn of the devil and the beginning of the end of civilization as we know it.

What I think that many people, including those quoted in the story, are missing is that rootkits aren't the issue.

Part of the problem is that rootkit is an inexact term. Generally, rootkit means software that is run at the system level such that it cannot be detected. There are all sorts of processes running on computers that are hard to detect for a variety of reasons, but not many are considered rootkits; they are called things such as drivers or services or libraries.

What we're interested in is software with a hidden agenda. Whether it has a hidden and actionable agenda depends on three things: The intention of the code, whether the code creator alerts the user as to the code's deployment, and - this is the big one - whether the operating system can be defended against unauthorized modifications and audited to detect them should modifications occur.

Obviously, code intended to do anything the user would not approve or not be aware of is unacceptable whether or not its creator actually tells the user.

The big problem, however, is to what extent the operating system provides a defense against modifications. While there are tools such as Faronics Deepfreeze, that can wipe out unauthorized system changes, this isn't the same as detecting intrusions in real time. And while there are a few products that attempt to guard Windows systems against intrusions, unless that defense is done at a system level - say, like a rootkit - then it is not going to be effective.

So the issue with rootkits is not rootkits at all. It is the intentions of other people and their code, and whether we can hold those people personally responsible. If they work for large corporations, apparently we can't.

Outraged? Tell me on Gibbsblog or write to backspin@gibbs.com.

Learn more about this topic

Proliferating rootkits hiding bots, spyware and other malicious code

04/24/06

DHS: Sony rootkit may lead to regulation

02/16/06

Security vendors looking to define 'rootkit'

01/13/06

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT