Paul Schmehl wrote:
Well, that's not what I said, but doesn't a company have a responsibility
to virus-check any software they ship *before* they ship it? It's not like
this is something so new that a normal check wouldn't have found it.
And isn't the *effect* on the end user the same? Yes, the motivation was
perhaps different, but how does that matter to the customer whose computer
is now trojaned? Does "we didn't mean to do it" excuse them?
doesn't a company have a responsibility
to virus-check any software they ship *before* they ship it?
Yes. I hope I didn't imply otherwise, or that it's OK to sell hard
drives that are infected by trojans.
And isn't the *effect* on the end user the same?
No. Sony is making war against its customers. They apologized
primarily because their spying technique caused harm to the day-to-day
operation of their customers' computers--you can see that in their
official statements. They are only sorry because their spying
technique was not effective enough.
I-O Data recalled the hard drives immediately--compare this to Sony's
reaction. (If you want to remove the rootkit, you have to give Sony
your personal information. Sony has yet to release an official removal
tool similar to Sophos's--that you can download anonymously.)
There is backlash against Sony right now, but it's not clear that that
will continue. For quite some time large corporations have been
intruding on the rights of users to control what their own computers
are doing. That's fundamentally what spyware is about, and that's why
Steve Gibson (GRC.com) has been so successful with his trademarked
phrase, "IT'S MY COMPUTER!" Many people think DRM and other things
designed to stop people from controlling the operation of their
computers are OK.
For quite some time, large (and small) corporations have been
intruding on the rights of their customers to keep their personal
information private. This is what spyware is about, secondarily. Sony
got burned because they did this in a politically gauche way. It's not
as if we're not going to see this again. When we do see it again, I
think it's important that we differentiate it from really embarrassing
mistakes, like the one made by people at I-O Data, or we're not going
to be able to fight it effectively.
The effect to end users of an act carried out in maliciousness as part
of a targeted, coordinated effort to violate their privacy and prevent
them from controlling the behavior of their own computers is worse
than an isolated error that is quickly addressed.
-Eliah
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
