Sony BMG Knew About The Rootkit Before It Went Public
from the anatomy-of-a-PR-disaster dept
The more that comes out about the whole Sony BMG rootkit fiasco, the worse both Sony BMG and First4Internet look. Now it's coming out that both companies knew about the rootkit a month before the news went public on Mark Russinovich's blog. One of the interesting things in this whole story was how that one blog post has resulted in so much trouble for both Sony BMG and First4Internet, but Business Week has learned that F-Secure had actually notified both companies earlier in October, after someone else had discovered the Sony BMG rootkit and sent it in to the security company (which provides something of a response to questions about why security firms didn't spot it earlier). F-Secure apparently had some conversations with both Sony BMG and First4Internet -- but it seems that both companies were slow to recognize how potentially dangerous this was. First4Internet appears to have been especially stubborn that this didn't need fixing because no one knew about it (security by obscurity). F-Secure agreed to keep the rootkit quiet until the two companies had worked out a solution, but it appears that arguing between Sony BMG and First4Internet slowed down any patch development -- meaning they eventually had to "rush" it out when the story became public. The whole story is an excellent case study for anyone who thinks that security by obscurity is somehow a reasonable plan.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Lawsuit Defense Ruined
Mr. Spitzer, if you visit TechDirt and Slashdot, please nail SonyBMG really good for this!
We are seeing the beginning of the end of DRM. This whole fiasco has brought DRM to the limelight and its being cast in a very bad light. Once something has been represented as BAD its next to impossible to get people to think of it as anything other than that. DRM will come to represent something BAD to consumers, and anything that uses it or is found to use it will not sell very well or at all.
Thank you SonyBMG for triggering the beginning of the end of DRM.
[ link to this | view in chronology ]
Re: Lawsuit Defense Ruined
Not exactly. It had been in the wild for a year prior. What it does say/state is that they supposedly had begun to realize just how horribly they f'd up, but not until someone rubbed their noses in it.
[ link to this | view in chronology ]
Re: Lawsuit Defense Ruined
True, to some extent. There is still an education factor. The general public is not technically acclimated to understand this fiasco at face value.
[ link to this | view in chronology ]
Re: Lawsuit Defense Ruined
[ link to this | view in chronology ]
Re: Lawsuit Defense Ruined
looks like its time for a new acronym. They wont abandon it just lay low for awhile and rename it.
[ link to this | view in chronology ]
Re: Lawsuit Defense Ruined
[ link to this | view in chronology ]
No Subject Given
It was feigned innocence by obscurity.
Which then became plausable denial by obscurity.
Which has become...
[ link to this | view in chronology ]
Was this ever in question?
[ link to this | view in chronology ]
Re: Was this ever in question?
the point here is that they were never claiming the didnt know abaout it, but rather that there werent away of the security nightmare it posed for users. Now it transpires that F-Secure told them about the security problems and they did nothing, hoping it would go away because nobody had spotted it yet.
...beginning of the end for drm...
I doubt it! what this means is that next time they'll get it right, that's all. they will look to Microsoft to include a digital music copy protection system in longtooth / vista, or whatever they are calling it these days. between the studios and the lables, the plan is to have the drm built in at OS level... and mac-heads, dont look so smug - pretty soon our funky looking unix based friends are going to come with an intel inside logo stuck on the casing - lord only knows whats going to be going on under the hood. I'm going to have to learn red hat!!!
[ link to this | view in chronology ]
Re: Was this ever in question?
I love they way we are referring to "it" as a rootkit!
[ link to this | view in chronology ]
death penalty
[ link to this | view in chronology ]
No Subject Given
Factor in stuff like this : http://www.techdirt.com/articles/20051128/1412218_F.shtml
(In which we discover that the creators of the Sony Rootkit were totally clueless as to how to actually write the thing they had sold/were selling to Sony, and were asking stupid newbie questions on various newsgroups – attempting to get other people to write it for them!)
It seems to me that Sony probably commissioned First4Internet(F4I) to write something that would ‘Stop folk being able to copy their music’.
First4Internet (as if you couldn’t tell from the name) turned out to be a bunch of Kids with some Suit up front to do the deals and talk the talk.
F4I obviously had no experience writing DRM stuff, and probably no experience writing anything other than college projects, so went about doing the best they could. They were undoubtedly aware of the security implications of their code, and probably got all excited whenever they thought of every single PC in the world having a backdoor that’d let them in. Having little experience of the real world, they probably imagined that their code was undetectable and that they would never ever be caught. Bah! Kids!
Their website is now off-line, and they’re not answering the phone – you can just imagine what Sony’s assault lawyers are doing to them right now – hefty launderette bills, I bet! Brown trousers all round.
I suggest that Sony wasn’t made aware of Security concerns by F4I. Sony _was_ made aware of the rootkit by F-Prot though, and instead of jumping into action, chose to do nothing. This is Sony’s crime.
They hired a bunch of ‘7331 Haxx0rs’ dudes rather than a proper development company.
They didn’t properly check code that was going to be installed on millions of computers around the world in their name.
As a consequence, they got ‘teh Pw0ned#’ good and proper – I wonder how many of the Sony PCs were/are backdoored by the kit?
As a consequence, an estimated half a million networks (http://wired-vig.wired.com/news/technology/0,1282,69573,00.html?tw=wn_tophead_2 ) got compromised, including US military and government nets…
When Sony discovered this, they should have leaped into action, sacked & sued F4I to death and done whatever they could to fix things. Instead, we get the ‘Most people are too stupid to know or care ’ defence, ( http://www.betanews.com/article/Sony_President_Rootkit_of_No_Concern/1131475197 ) and more code from the F4I kids, with more backdoors.
I think the whole thing was best summed up by one of Scotlands Poineers of Pop, Rabbie Burns : (who’s career seemed to survive the lack of copyright laws, and blatant royalty free performances)
'Oh what a tangled web we weave, when first we practice to deceive.'
(Tae a Louse – if I remember correctly. Gosh, how apt)
[ link to this | view in chronology ]