RE: Sony's XCP player includes an auto-update feature

["Richard M. Smith" <rms () computerbytesman com>]

One of the problems that I have with auto-update software is that a
disgruntled employee can use the feature to quickly distribute and run
malicious software on a large number of computers.  The bad guys can also
use auto-update to distribute malware if they can break into an insecure
update server assuming that auto-updates don't have to be digitally signed.
I wonder who at First 4 Internet, Sony's DRM vendor, would know about the
security measures that the company has taken in the auto-update process?

Richard 

-----Original Message-----
From: Paul Schmehl [mailto:pauls () utdallas edu] 
Sent: Monday, November 21, 2005 4:59 PM
To: Richard M. Smith; funsec () linuxbox org
Subject: Re: [funsec] Sony's XCP player includes an auto-update feature

--On Monday, November 21, 2005 16:33:17 -0500 "Richard M. Smith" 
<rms () computerbytesman com> wrote:
> As it turns out, there's a clear solution: A self-updating messaging 
> system already built into Sony's XCP player. Every time a user plays a 
> XCP-affected CD, the XCP player checks in with Sony's server. As 
> Russinovich explained, usually Sony's server sends back a null response.
> But with small adjustments on Sony's end -- just changing the output 
> of a single script on a Sony web server -- the XCP player can 
> automatically inform users of the software improperly installed on 
> their hard drives, and of their resulting rights and choices.

I wouldn't hold your breath waiting for that to happen.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.