funsec mailing list archives
RE: Sony's XCP player includes an auto-update feature
From: Matt Jonkman <mjonkman () infotex com>
Date: Mon, 21 Nov 2005 18:28:21 -0500
This has been one of my big talking points in spyware talks for a couple years now. When confronted with the people that are of the mindset that "Spyware is sjust sending them where I'm shopping, I don't care if it does", you have to raise this point. It's pulling new code, most of them every day, and running it as administrator on your computer. They don't say what it does, who is putting that together, or who they're selling that space to. If I were a bad guy, and I wanted an instant HUGE botnet, I'd be beating on 180solutions or Claria's doors. Or getting a job there as a lowly coder. One daily update and you've got a multi-million bot net. It's only a matter of time. Or it may have happened already, but it'd certainly not be disclosed unless one of us discovered it... Matt On Mon, 2005-11-21 at 17:13 -0500, Richard M. Smith wrote:
One of the problems that I have with auto-update software is that a disgruntled employee can use the feature to quickly distribute and run malicious software on a large number of computers. The bad guys can also use auto-update to distribute malware if they can break into an insecure update server assuming that auto-updates don't have to be digitally signed. I wonder who at First 4 Internet, Sony's DRM vendor, would know about the security measures that the company has taken in the auto-update process? Richard -----Original Message----- From: Paul Schmehl [mailto:pauls () utdallas edu] Sent: Monday, November 21, 2005 4:59 PM To: Richard M. Smith; funsec () linuxbox org Subject: Re: [funsec] Sony's XCP player includes an auto-update feature --On Monday, November 21, 2005 16:33:17 -0500 "Richard M. Smith" <rms () computerbytesman com> wrote:As it turns out, there's a clear solution: A self-updating messaging system already built into Sony's XCP player. Every time a user plays a XCP-affected CD, the XCP player checks in with Sony's server. As Russinovich explained, usually Sony's server sends back a null response. But with small adjustments on Sony's end -- just changing the output of a single script on a Sony web server -- the XCP player can automatically inform users of the software improperly installed on their hard drives, and of their resulting rights and choices.I wouldn't hold your breath waiting for that to happen. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
-- -------------------------------------------- Matthew Jonkman, CISSP Chief Technical Officer Infotex 765-429-0398 Direct Anytime 765-448-6847 Office 866-679-5177 24x7 NOC www.infotex.com my.infotex.com www.bleedingsnort.com -------------------------------------------- NOTICE: The information contained in this email is confidential and intended solely for the intended recipient. Any use, distribution, transmittal or retransmittal of information contained in this email by persons who are not intended recipients may be a violation of law and is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Sony's XCP player includes an auto-update feature Richard M. Smith (Nov 21)
- Re: Sony's XCP player includes an auto-update feature Paul Schmehl (Nov 21)
- RE: Sony's XCP player includes an auto-update feature Richard M. Smith (Nov 21)
- RE: Sony's XCP player includes an auto-update feature Matt Jonkman (Nov 21)
- RE: Sony's XCP player includes an auto-update feature Richard M. Smith (Nov 21)
- Re: Sony's XCP player includes an auto-update feature Paul Schmehl (Nov 21)