My RSS Feeds
Summary of a PR-nightmare
On October 31st, 2005 one of Windows system administration's big hero's, Mark Russinovich of SysInternals, wrote in this article about his more or less accidental discovery with his rootkit scanner of a rootkit named XCP by First4Internet which was delivered with protected Sony BMG audio CD's.
Not only that, but SysInternals also reported that XCP was rather badly programmed, rendering computers extremely vulnerable thanks to the gaping security holes that were in it. Aside from that the rootkit unnecessarily slowed down your PC and they included a number of trics and deceptions to hide it all from even an above average user.
These facts were enough to get the internet buzzing. More and more people hooked in on the story and from that point on things started to get progressively worse for SonyBMG, not in the least because of their own respones. The buzz became a roar.
They scrambled in damage control mode, and on November 3 a patch and an uninstaller were written and "released". It turned out however it was nigh impossible for mere mortals to get their hands on the installer, and for those who managed to find the links and forms there was an obligitory human authorisation by SonyBMG. Apart from that it became very clear that SonyBMG's EULA not only didn't mention XCP, but stayed quiet about installing software which (as turned out) phoned home, communicating across the internet who-knows-what. Sony's patch release notes went as far as to plainly lie about the dangers involved in the rootkit.
Mark Russinovich's next article on SysInternals on November 4 made matters much worse. The roar was nu quickly turning into an earthquake as thousands upon thousands of people started to take notice and the XCP-story was picked up by the mainstream press, which was very bad news for Sony. And with the entire internet looking over their shoulders Thomas Hesse, President van Sony Global Digital Business gave an interview on NPR, literaly stating: "Most people, I think, don't even know what a rootkit is, so why should they care about it?".
That was just the oil on the flames that was needed to get the earthquake spinning out of control very quickly.
In the meantime every antivirus firm had been alerted to the problems and started to adapt their software to detect and classify XCP.
The patch on the other hand turned out to be put together with such haste that it not only didn't remedy the situation, it worsened it. Within a couple of hours after the patch's release reports were turning up showing it was even worse than the original software and besides "de-rootkitting" the rootkit it even installed a completely new attempt.
After the first script-kiddy virusses using SonyBMG's rootkit Sony finally responded on November 12 by "temporarily" halting production of XCP-CD's. By then a number of lawsuits were filed, and SonyBMG's EULA came under scrutiny, with rather damaging results. XCP even turned out to willingly violate a license itself, the (L)GPL for using LAME amongst others. Others attacked another CD copy protection used by Sony, MediaMax by Suncomm, again with disastrous results. That software turned out to include some rather shady methods and programming, and it was installed & run on every PC, even after specifically declining the EULA, automatically. And again the provided uninstaller only made matters much worse. Sony's crisis deepened and after another couple of days of dramatically bad press they finally gave in on November 16.
The other side of the musicdistribution equasion started stirring as well. Fans were complaining ànd boycotting, which had an abundantly clear impact on sales. Gartner (yes, thé Gartner) meanwhile devised a simple, though higly effective countermeasure which has been around since the early days of the CD.
The nightmare is far from over. Today it was revealed that F-Secure notified SonyBMG as far back as September about the problems, and they did next to nothing about it. By now you can even download the MP3's for the CD's in question, and the latest uproar is about the CD's not actually having been recalled. The infamous name of Elliot Spitzer was added to the list of lawsuits.
The worst thing about it all to me is that to this day SonyBMG has yet to admit they made some grave errors, although this is quite possibly due to the legal implications such a move would have. Besides, Sony has tried before, and they're now trying to do things right immediately with do things right immediately with BluRay. I don't think this is the last we've heard from Sony regarding audio CD's either. That's why they've earned their "Evil" stamp rightly. We'll have to see how much backlash this will have on sales and on the PlayStation 3.
And of course SysInternals' Mark Russinovich deserves a beatification for his discovery and the resulting uproar. It's very clear that this has raised awareness tremendously, and that this is not something that will blow over quickly.
