Sony BMG Knew About The Rootkit Before It Went Public

from the anatomy-of-a-PR-disaster dept

The more that comes out about the whole Sony BMG rootkit fiasco, the worse both Sony BMG and First4Internet look. Now it's coming out that both companies knew about the rootkit a month before the news went public on Mark Russinovich's blog. One of the interesting things in this whole story was how that one blog post has resulted in so much trouble for both Sony BMG and First4Internet, but Business Week has learned that F-Secure had actually notified both companies earlier in October, after someone else had discovered the Sony BMG rootkit and sent it in to the security company (which provides something of a response to questions about why security firms didn't spot it earlier). F-Secure apparently had some conversations with both Sony BMG and First4Internet -- but it seems that both companies were slow to recognize how potentially dangerous this was. First4Internet appears to have been especially stubborn that this didn't need fixing because no one knew about it (security by obscurity). F-Secure agreed to keep the rootkit quiet until the two companies had worked out a solution, but it appears that arguing between Sony BMG and First4Internet slowed down any patch development -- meaning they eventually had to "rush" it out when the story became public. The whole story is an excellent case study for anyone who thinks that security by obscurity is somehow a reasonable plan.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Michael "TheZorch" Haney, Nov 29th, 2005 @ 12:38pm

    Lawsuit Defense Ruined

    This news basically ruins any defense SonyBMG may have in the current and future lawsuits. They can't claim that they didn't know this would happen becauser its known now that they did ahead of time and did nothing.

    Mr. Spitzer, if you visit TechDirt and Slashdot, please nail SonyBMG really good for this!

    We are seeing the beginning of the end of DRM. This whole fiasco has brought DRM to the limelight and its being cast in a very bad light. Once something has been represented as BAD its next to impossible to get people to think of it as anything other than that. DRM will come to represent something BAD to consumers, and anything that uses it or is found to use it will not sell very well or at all.

    Thank you SonyBMG for triggering the beginning of the end of DRM.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Joe Schmoe, Nov 29th, 2005 @ 1:05pm

    No Subject Given

    This was not security by obscurity.

    It was feigned innocence by obscurity.

    Which then became plausable denial by obscurity.

    Which has become...

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Joe Schmoe, Nov 29th, 2005 @ 1:10pm

    Re: Lawsuit Defense Ruined

    They can't claim that they didn't know this would happen becauser its known now that they did ahead of time and did nothing.

    Not exactly. It had been in the wild for a year prior. What it does say/state is that they supposedly had begun to realize just how horribly they f'd up, but not until someone rubbed their noses in it.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Joe Schmoe, Nov 29th, 2005 @ 1:12pm

    Re: Lawsuit Defense Ruined

    We are seeing the beginning of the end of DRM. This whole fiasco has brought DRM to the limelight and its being cast in a very bad light. Once something has been represented as BAD its next to impossible to get people to think of it as anything other than that. DRM will come to represent something BAD to consumers, and anything that uses it or is found to use it will not sell very well or at all.

    True, to some extent. There is still an education factor. The general public is not technically acclimated to understand this fiasco at face value.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Riley, Nov 29th, 2005 @ 1:24pm

    Was this ever in question?

    They PROGRAMMED the damn rootkit, how could they not know about it? They didn't do anything about it when it was first brought to their attention because - DUH, they knew exactly what they intentionaly put there right from the start. The only thing that has caught them by suprise has been the consumer backlash and maybe the fact that they were found out (although they would have to be idiots not to realize that was going to happen sooner or later).

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    quintin, Nov 29th, 2005 @ 3:13pm

    death penalty

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Saucy Del Mar, Nov 29th, 2005 @ 4:18pm

    Re: Lawsuit Defense Ruined

    > Thank you SonyBMG for triggering the beginning of the end of DRM.

    looks like its time for a new acronym. They wont abandon it just lay low for awhile and rename it.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Nov 29th, 2005 @ 7:33pm

    Re: Lawsuit Defense Ruined

    Sony voted FOR the rootkit before they voted AGAINST it!

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Nov 30th, 2005 @ 12:04am

    Re: Lawsuit Defense Ruined

    Just about everyone out there understands "Sony puts spyware on its music CDs". No education needed. The biggest problem is getting the word out. Mainstream news outlets didn't touch this till it was well underway in the blogosphere.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Boo, Nov 30th, 2005 @ 12:53am

    Re: Was this ever in question?

    They didn't do anything about it when it was first brought to their attention because - DUH, they knew exactly what they intentionaly put there right from the start.

    the point here is that they were never claiming the didnt know abaout it, but rather that there werent away of the security nightmare it posed for users. Now it transpires that F-Secure told them about the security problems and they did nothing, hoping it would go away because nobody had spotted it yet.

    ...beginning of the end for drm...

    I doubt it! what this means is that next time they'll get it right, that's all. they will look to Microsoft to include a digital music copy protection system in longtooth / vista, or whatever they are calling it these days. between the studios and the lables, the plan is to have the drm built in at OS level... and mac-heads, dont look so smug - pretty soon our funky looking unix based friends are going to come with an intel inside logo stuck on the casing - lord only knows whats going to be going on under the hood. I'm going to have to learn red hat!!!

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Nov 30th, 2005 @ 3:59am

    No Subject Given

    Actually, I’m starting to get a slightly different picture of events now. One in which Sony are not pure evil, rather just plain stupid.
    Factor in stuff like this : http://www.techdirt.com/articles/20051128/1412218_F.shtml
    (In which we discover that the creators of the Sony Rootkit were totally clueless as to how to actually write the thing they had sold/were selling to Sony, and were asking stupid newbie questions on various newsgroups – attempting to get other people to write it for them!)
    It seems to me that Sony probably commissioned First4Internet(F4I) to write something that would ‘Stop folk being able to copy their music’.
    First4Internet (as if you couldn’t tell from the name) turned out to be a bunch of Kids with some Suit up front to do the deals and talk the talk.
    F4I obviously had no experience writing DRM stuff, and probably no experience writing anything other than college projects, so went about doing the best they could. They were undoubtedly aware of the security implications of their code, and probably got all excited whenever they thought of every single PC in the world having a backdoor that’d let them in. Having little experience of the real world, they probably imagined that their code was undetectable and that they would never ever be caught. Bah! Kids!
    Their website is now off-line, and they’re not answering the phone – you can just imagine what Sony’s assault lawyers are doing to them right now – hefty launderette bills, I bet! Brown trousers all round.
    I suggest that Sony wasn’t made aware of Security concerns by F4I. Sony _was_ made aware of the rootkit by F-Prot though, and instead of jumping into action, chose to do nothing. This is Sony’s crime.
    They hired a bunch of ‘7331 Haxx0rs’ dudes rather than a proper development company.
    They didn’t properly check code that was going to be installed on millions of computers around the world in their name.
    As a consequence, they got ‘teh Pw0ned#’ good and proper – I wonder how many of the Sony PCs were/are backdoored by the kit?
    As a consequence, an estimated half a million networks (http://wired-vig.wired.com/news/technology/0,1282,69573,00.html?tw=wn_tophead_2 ) got compromised, including US military and government nets…
    When Sony discovered this, they should have leaped into action, sacked & sued F4I to death and done whatever they could to fix things. Instead, we get the ‘Most people are too stupid to know or care ’ defence, ( http://www.betanews.com/article/Sony_President_Rootkit_of_No_Concern/1131475197 ) and more code from the F4I kids, with more backdoors.
    I think the whole thing was best summed up by one of Scotlands Poineers of Pop, Rabbie Burns : (who’s career seemed to survive the lack of copyright laws, and blatant royalty free performances)
    'Oh what a tangled web we weave, when first we practice to deceive.'
    (Tae a Louse – if I remember correctly. Gosh, how apt)

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Sissy Pants, Nov 30th, 2005 @ 6:25am

    Re: Was this ever in question?

    ""They PROGRAMMED the damn rootkit""

    I love they way we are referring to "it" as a rootkit!

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This