RE: Sony's XCP player includes an auto-update feature

[Matt Jonkman <mjonkman () infotex com>]

This has been one of my big talking points in spyware talks for a couple
years now.

When confronted with the people that are of the mindset that "Spyware is
sjust sending them where I'm shopping, I don't care if it does", you
have to raise this point. It's pulling new code, most of them every day,
and running it as administrator on your computer. 

They don't say what it does, who is putting that together, or who
they're selling that space to. 

If I were a bad guy, and I wanted an instant HUGE botnet, I'd be beating
on 180solutions or Claria's doors. Or getting a job there as a lowly
coder. One daily update and you've got a multi-million bot net. 

It's only a matter of time. Or it may have happened already, but it'd
certainly not be disclosed unless one of us discovered it...

Matt

On Mon, 2005-11-21 at 17:13 -0500, Richard M. Smith wrote:
> One of the problems that I have with auto-update software is that a
> disgruntled employee can use the feature to quickly distribute and run
> malicious software on a large number of computers.  The bad guys can also
> use auto-update to distribute malware if they can break into an insecure
> update server assuming that auto-updates don't have to be digitally signed.
> I wonder who at First 4 Internet, Sony's DRM vendor, would know about the
> security measures that the company has taken in the auto-update process?
>
> Richard 
>
> -----Original Message-----
> From: Paul Schmehl [mailto:pauls () utdallas edu] 
> Sent: Monday, November 21, 2005 4:59 PM
> To: Richard M. Smith; funsec () linuxbox org
> Subject: Re: [funsec] Sony's XCP player includes an auto-update feature
>
> --On Monday, November 21, 2005 16:33:17 -0500 "Richard M. Smith" 
> <rms () computerbytesman com> wrote:
> > As it turns out, there's a clear solution: A self-updating messaging 
> > system already built into Sony's XCP player. Every time a user plays a 
> > XCP-affected CD, the XCP player checks in with Sony's server. As 
> > Russinovich explained, usually Sony's server sends back a null response.
> > But with small adjustments on Sony's end -- just changing the output 
> > of a single script on a Sony web server -- the XCP player can 
> > automatically inform users of the software improperly installed on 
> > their hard drives, and of their resulting rights and choices.
>
> I wouldn't hold your breath waiting for that to happen.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
-- 
--------------------------------------------
  Matthew Jonkman, CISSP
  Chief Technical Officer
  Infotex
  765-429-0398 Direct Anytime
  765-448-6847 Office
  866-679-5177 24x7 NOC
  www.infotex.com
  my.infotex.com
  www.bleedingsnort.com
--------------------------------------------

  NOTICE: The information contained in this email is confidential
  and intended solely for the intended recipient. Any use,
  distribution, transmittal or retransmittal of information
  contained in this email by persons who are not intended
  recipients may be a violation of law and is strictly prohibited.
  If you are not the intended recipient, please contact the sender
  and delete all copies.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.