Conflicting Interests

The Sony rootkit story brings to light interesting ethical questions.

Created by tseaver. Last modified 2005-11-18 15:11:54.

Bruce Scneier's damning account of Sony's rootkit indicts the anti-virus software providers:

What happens when the creators of malware collude with the very companies we hire to protect us from that malware?
We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.

Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?

These questions are the real story, and we all deserve answers.

The essence here is confusion (and therefore conflict) of interests:

did the A/V providers failed to identify this threat because Sony is a big company who might sue them?
did they fear to supply removal tools (none of them have yet provided a way to remove anything but the "cloaking" part of the rootkit) because of the ill-considered, ill-written, "private law" known as the DMCA?
were more sinister motives at play?

For whatever reason, they neglected the interests of their paying customers. As Chris McDonough's pointed out in his Agendaless Consulting , the only way to stay sane in a mess like this is to stay transparent, as well as loyal to the true interests of the customer.