Bruce Schneier nails the Sony rootkit story. I didn't pay much attention to it, because I haven't purchased a CD in close to 2 years (thanks iTunes). But I skimmed the news stories coming out and each time my jaw dropped a little further: 500k machines infected including government boxes, cloaking software, Sony's CEO making silly statements... But the real story, as Bruce Schneier points out - why the hell didn't any Antivirus software (or IDS for that matter), detect this software sooner? We are collectively paying these companies billions of dollars for what?

What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.

But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.

Thanks Bruce, for shining a light on the overlooked aspect of the Sony story. It's really making me rethink our industry's so called defense mechanisms.
posted by mt at 13:16