The more that comes out about the whole Sony BMG rootkit fiasco, the worse both Sony BMG and First4Internet look. Now it's coming out that both companies knew about the rootkit a month before the news went public on Mark Russinovich's blog. One of the interesting things in this whole story was how that one blog post has resulted in so much trouble for both Sony BMG and First4Internet, but Business Week has learned that F-Secure had actually notified both companies earlier in October, after someone else had discovered the Sony BMG rootkit and sent it in to the security company (which provides something of a response to questions about why security firms didn't spot it earlier). F-Secure apparently had some conversations with both Sony BMG and First4Internet -- but it seems that both companies were slow to recognize how potentially dangerous this was. First4Internet appears to have been especially stubborn that this didn't need fixing because no one knew about it (security by obscurity). F-Secure agreed to keep the rootkit quiet until the two companies had worked out a solution, but it appears that arguing between Sony BMG and First4Internet slowed down any patch development -- meaning they eventually had to "rush" it out when the story became public. The whole story is an excellent case study for anyone who thinks that security by obscurity is somehow a reasonable plan.
If you liked this post, you may also be interested in...
- iPhone Developer Creates App Criticizing The iPhone; App Is Quickly Pulled
- Leaked HBGary Documents Show Plan To Spread Wikileaks Propaganda For BofA... And 'Attack' Glenn Greenwald
- Publishers Remove 2500 Journals From Free Access In Bangladesh; Put Them Back When People Notice
- Just Weeks After Cutting Off Wikileaks, Amazon Brags About How US Federal Gov't Is One Of Its Biggest AWS Customers?
- Oh Look, Police Can Investigate A Satirical Online Comment About Mythical Violence And Not Overreact