Sony BMG Knew About The Rootkit Before It Went Public
from the anatomy-of-a-PR-disaster dept
The more that comes out about the whole Sony BMG rootkit fiasco, the worse both Sony BMG and First4Internet look. Now it's coming out that both companies knew about the rootkit a month before the news went public on Mark Russinovich's blog. One of the interesting things in this whole story was how that one blog post has resulted in so much trouble for both Sony BMG and First4Internet, but Business Week has learned that F-Secure had actually notified both companies earlier in October, after someone else had discovered the Sony BMG rootkit and sent it in to the security company (which provides something of a response to questions about why security firms didn't spot it earlier). F-Secure apparently had some conversations with both Sony BMG and First4Internet -- but it seems that both companies were slow to recognize how potentially dangerous this was. First4Internet appears to have been especially stubborn that this didn't need fixing because no one knew about it (security by obscurity). F-Secure agreed to keep the rootkit quiet until the two companies had worked out a solution, but it appears that arguing between Sony BMG and First4Internet slowed down any patch development -- meaning they eventually had to "rush" it out when the story became public. The whole story is an excellent case study for anyone who thinks that security by obscurity is somehow a reasonable plan.