Sony BMG Knew About The Rootkit Before It Went Public

from the anatomy-of-a-PR-disaster dept

The more that comes out about the whole Sony BMG rootkit fiasco, the worse both Sony BMG and First4Internet look. Now it's coming out that both companies knew about the rootkit a month before the news went public on Mark Russinovich's blog. One of the interesting things in this whole story was how that one blog post has resulted in so much trouble for both Sony BMG and First4Internet, but Business Week has learned that F-Secure had actually notified both companies earlier in October, after someone else had discovered the Sony BMG rootkit and sent it in to the security company (which provides something of a response to questions about why security firms didn't spot it earlier). F-Secure apparently had some conversations with both Sony BMG and First4Internet -- but it seems that both companies were slow to recognize how potentially dangerous this was. First4Internet appears to have been especially stubborn that this didn't need fixing because no one knew about it (security by obscurity). F-Secure agreed to keep the rootkit quiet until the two companies had worked out a solution, but it appears that arguing between Sony BMG and First4Internet slowed down any patch development -- meaning they eventually had to "rush" it out when the story became public. The whole story is an excellent case study for anyone who thinks that security by obscurity is somehow a reasonable plan.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Michael "TheZorch" Haney, 29 Nov 2005 @ 12:38pm

    Lawsuit Defense Ruined

    This news basically ruins any defense SonyBMG may have in the current and future lawsuits. They can't claim that they didn't know this would happen becauser its known now that they did ahead of time and did nothing.

    Mr. Spitzer, if you visit TechDirt and Slashdot, please nail SonyBMG really good for this!

    We are seeing the beginning of the end of DRM. This whole fiasco has brought DRM to the limelight and its being cast in a very bad light. Once something has been represented as BAD its next to impossible to get people to think of it as anything other than that. DRM will come to represent something BAD to consumers, and anything that uses it or is found to use it will not sell very well or at all.

    Thank you SonyBMG for triggering the beginning of the end of DRM.

    reply to this | link to this | view in chronology ]

    • identicon
      Joe Schmoe, 29 Nov 2005 @ 1:10pm

      Re: Lawsuit Defense Ruined

      They can't claim that they didn't know this would happen becauser its known now that they did ahead of time and did nothing.

      Not exactly. It had been in the wild for a year prior. What it does say/state is that they supposedly had begun to realize just how horribly they f'd up, but not until someone rubbed their noses in it.

      reply to this | link to this | view in chronology ]

    • identicon
      Joe Schmoe, 29 Nov 2005 @ 1:12pm

      Re: Lawsuit Defense Ruined

      We are seeing the beginning of the end of DRM. This whole fiasco has brought DRM to the limelight and its being cast in a very bad light. Once something has been represented as BAD its next to impossible to get people to think of it as anything other than that. DRM will come to represent something BAD to consumers, and anything that uses it or is found to use it will not sell very well or at all.

      True, to some extent. There is still an education factor. The general public is not technically acclimated to understand this fiasco at face value.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Nov 2005 @ 12:04am

        Re: Lawsuit Defense Ruined

        Just about everyone out there understands "Sony puts spyware on its music CDs". No education needed. The biggest problem is getting the word out. Mainstream news outlets didn't touch this till it was well underway in the blogosphere.

        reply to this | link to this | view in chronology ]

    • identicon
      Saucy Del Mar, 29 Nov 2005 @ 4:18pm

      Re: Lawsuit Defense Ruined

      > Thank you SonyBMG for triggering the beginning of the end of DRM. < br>
      looks like its time for a new acronym. They wont abandon it just lay low for awhile and rename it.

      reply to this | link to this | view in chronology ]

  • identicon
    Joe Schmoe, 29 Nov 2005 @ 1:05pm

    No Subject Given

    This was not security by obscurity.

    It was feigned innocence by obscurity.

    Which then became plausable denial by obscurity.

    Which has become...

    reply to this | link to this | view in chronology ]

  • identicon
    Riley, 29 Nov 2005 @ 1:24pm

    Was this ever in question?

    They PROGRAMMED the damn rootkit, how could they not know about it? They didn't do anything about it when it was first brought to their attention because - DUH, they knew exactly what they intentionaly put there right from the start. The only thing that has caught them by suprise has been the consumer backlash and maybe the fact that they were found out (although they would have to be idiots not to realize that was going to happen sooner or later).

    reply to this | link to this | view in chronology ]

    • identicon
      Boo, 30 Nov 2005 @ 12:53am

      Re: Was this ever in question?

      They didn't do anything about it when it was first brought to their attention because - DUH, they knew exactly what they intentionaly put there right from the start.

      the point here is that they were never claiming the didnt know abaout it, but rather that there werent away of the security nightmare it posed for users. Now it transpires that F-Secure told them about the security problems and they did nothing, hoping it would go away because nobody had spotted it yet.

      ...beginning of the end for drm...

      I doubt it! what this means is that next time they'll get it right, that's all. they will look to Microsoft to include a digital music copy protection system in longtooth / vista, or whatever they are calling it these days. between the studios and the lables, the plan is to have the drm built in at OS level... and mac-heads, dont look so smug - pretty soon our funky looking unix based friends are going to come with an intel inside logo stuck on the casing - lord only knows whats going to be going on under the hood. I'm going to have to learn red hat!!!

      reply to this | link to this | view in chronology ]

    • identicon
      Sissy Pants, 30 Nov 2005 @ 6:25am

      Re: Was this ever in question?

      ""They PROGRAMMED the damn rootkit""

      I love they way we are referring to "it" as a rootkit!

      reply to this | link to this | view in chronology ]

  • identicon
    quintin, 29 Nov 2005 @ 3:13pm

    death penalty

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Nov 2005 @ 3:59am

    No Subject Given

    Actually, I’m starting to get a slightly different picture of events now. One in which Sony are not pure evil, rather just plain stupid.
    Factor in stuff like this : http://www.techdirt.com/articles/20051128/1412218_F.shtml
    (In which we discover that the creators of the Sony Rootkit were totally clueless as to how to actually write the thing they had sold/were selling to Sony, and were asking stupid newbie questions on various newsgroups – attempting to get other people to write it for them!)
    It seems to me that Sony probably commissioned First4Internet(F4I) to write something that would ‘Stop folk being able to copy their music’.
    First4Internet (as if you couldn’t tell from the name) turned out to be a bunch of Kids with some Suit up front to do the deals and talk the talk.
    F4I obviously had no experience writing DRM stuff, and probably no experience writing anything other than college projects, so went about doing the best they could. They were undoubtedly aware of the security implications of their code, and probably got all excited whenever they thought of every single PC in the world having a backdoor that’d let them in. Having little experience of the real world, they probably imagined that their code was undetectable and that they would never ever be caught. Bah! Kids!
    Their website is now off-line, and they’re not answering the phone – you can just imagine what Sony’s assault lawyers are doing to them right now – hefty launderette bills, I bet! Brown trousers all round.
    I suggest that Sony wasn’t made aware of Security concerns by F4I. Sony _was_ made aware of the rootkit by F-Prot though, and instead of jumping into action, chose to do nothing. This is Sony’s crime.
    They hired a bunch of ‘7331 Haxx0rs’ dudes rather than a proper development company.
    They didn’t properly check code that was going to be installed on millions of computers around the world in their name.
    As a consequence, they got ‘teh Pw0ned#’ good and proper – I wonder how many of the Sony PCs were/are backdoored by the kit?
    As a consequence, an estimated half a million networks (http://wired-vig.wired.com/news/technology/0,1282,69573,00.html?tw=wn_tophead_2 ) got compromised, including US military and government nets…
    When Sony discovered this, they should have leaped into action, sacked & sued F4I to death and done whatever they could to fix things. Instead, we get the ‘Most people are too stupid to know or care ’ defence, ( http://www.betanews.com/article/Sony_President_Rootkit_of_No_Concern/1131475197 ) and more code from the F4I kids, with more backdoors.
    I think the whole thing was best summed up by one of Scotlands Poineers of Pop, Rabbie Burns : (who’s career seemed to survive the lack of copyright laws, and blatant royalty free performances)
    'Oh what a tangled web we weave, when first we practice to deceive.'
    (Tae a Louse – if I remember correctly. Gosh, how apt)

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.