Security

It’s been a busy couple of days in the never-ending soap opera that is the Sony BMG rootkit saga. Here are some of the latest developments:

• Microsoft says it’s "concerned" about the issue, saying security is the company’s "top priority."
• The first trojan to take advantage of the Sony rootkit has reportedly been found; a new version of the Breblibot Trojan specifically tied to the Sony software is in the wild, though no specific infections have been cited.
• At least one more lawsuit has been filed against Sony, in addition to the one in Italy that was filed earlier this week. The new suit, filed in California, alleges that Sony has violated at least three state laws, including one that specifically prohibits spyware.
• And how is Sony dealing with all of this? The company basically sees the problem as a non-issue: "Most people don’t even know what a rootkit is, so why should they care about it?" Thomas Hesse, the president of Sony BMG’s global digital business division, told NPR. In the meantime, however, the company has dropped the DRM in question, though it will continue to use copy protection on future CD releases.

Maintaining a secure list of all the passwords and serial numbers that we have to deal with today is a real challenge. If you use a Smartphone SplashID is a great option. For those who don’t have a Smartphone, and are looking for a portable password store, KeePass is an excellent choice.

KeyPass is a free, highly secure, password storage system that doesn’t require installation. In other words, you can carry around your list of passwords on your favorite USB storage media. KeePass supports the Advanced Encryption Standard (AES) and the Twofish algorithms to encrypt its password databases. You can file and sort your passwords, attach memorable icons to them, as well as notes. KeePass has a really nice random password generation feature that lets you set how sophisticated the random password should be. This application is certainly worth a look if you are on the move, and trying to manage huge list of logins, passwords and serial numbers.

Symantec has released its latest software security report and has some words of caution for two groups that may have felt they were relatively safe from spyware, viruses and other malware. According to the Internet Security Threat Report, Firefox and Mac OSX represent fertile ground for malware writers, and users of the browser and OS need to be aware of the threat. "Cross-site scripting attacks have been used to attack more vulnerabilities in Mozilla browsers over the last six months than IE," Symantec’s Graham Pinkney said. Meanwhile, the report charged Mac users with living in a "false paradise" and pointed to the newfound popularity of the OSX/Weapox rootkit, which is able to take over certain Unix functions in some versions of OSX.

Forget downloading just any bootleg copy of Windows XP. If you really want to impress your friends and wow Microsoft’s lawyers, you need to get a remixed version. Pirate remixes include features you can’t get from Microsoft, including a "mini-XP" bootable CD, stripped down versions with minimal drivers, and streamlined installers. Bootlegs also often have the latest patches pre-installed, which is handy, since you’re not exactly going to visit Windows Update while running "WinXP SP2 Lite Edition."

In my endless search for new downloads, I was recently struck by the fact that three of the top five most popular files on a major download site were spyware and adware removal programs (the other two were IM and P2P programs). While I suppose it shouldn’t be surprising, given the amount of press spyware and adware issues have received, it piqued my interest a bit. So, this week’s Ask Download Squad: how do you deal with spyware and adware? Do you use one of the popular, free programs like Ad-Aware SE? Do you pay for a premium spyware-removal program? Do you reinstall Windows once a week? Or do you think that, since you use Firefox instead of IE (or a Mac instead of Windows) you’re immune? Let us know! Post your answer in the Comments section below. And, if you’d like to have your question included here, send it to us using this form. We’ll post one question each week.

Sure, software piracy is a bad thing (especially when the victims are

small developers looking for a break in a market dominated by the big

boys — so pay those shareware fees, already!). However, in a recent blog posting,

Chris "Long Tail" Anderson argues that a little piracy can actually be

a good thing. Anderson says that for DRM to be successful, it would

have to be so onerous that it would actually undermine sales, citing

the examples of hardware dongles (mostly abandoned by software

companies) and onerous registration processes (alas, still with us).

Instead, he suggests that companies acknowledge that they’re always

going to have to deal with a certain amount of piracy, and adjust their

business models to it. He even mentions speaking to an unnamed former

Microsoft exec, who says the company long ago gave in, and ceded the

bottom end of the market to pirates, recognizing that it was better

than slashing prices to make their products attractive to more

consumers. In turn, says Anderson, Microsoft has been able to charge

more for their products, while making them less difficult for corporate

customers to install (of course, that doesn’t factor in recent efforts

like Genuine Advantage,

but that’s Microsoft for you.) I actually think Anderson’s comments

make a lot of sense; it’s sort of like the way retailers have functioned for years. They quietly factor in a certain amount of "shrinkage" as the cost of doing business; the alternative, of putting everything behind glass, would drive away too many legit customers. Is the software industry’s equivalent that torrent of Microsoft

Office being downloaded by a teenager would never pay for the legit

thing anyhow?

There’s no beer involved, but according to Steve Dodson’s blog Microsoft’s AntiSpyware will NOT be a commercial application. That is, it will remain free for anyone running a genuine XP install. As long as you do the "Windows Genuine Advantage" thing, no problem. Apparently someone had posted up a purported comment from an MS employee stating AntiSpyware was no longer going to be free. Never trust those message boards, kids.

Steve goes on to explain that MS has said from day one that AntiSpyware will continue to be free. They will be rolling out an Enterprise edition so companies can administer the app as any good company would — from a server. Also, he reiterated the May announcement on OneCare, which is a bundle of services including antivirus, firewall, PC maintenance, and backup (for data and settings). OneCare will charge, but it’s still in beta for now as well.