Search Slyck  
RIAA President Downplays Sony Rootkit
November 20, 2005
Thomas Mennecke
Font Bigger Font Smaller
Someone must have built a lead shield around the RIAA headquarters in Washington, DC. It's the only way to explain how RIAA president Cary Sherman doesn't see the enormously serious consumer backlash against Sony-BMG. During a university press round table discussion, Cary Sherman spoke with university journalists on various file-sharing issues, including the Sony-BMG fiasco.

There are few individuals that would consider Sony-BMG's handling of the rootkit situation a job well done. To hide the copy-protection software, the Sony-BMG rootkit employed techniques typically used by hackers or virus writers. The purpose of a rootkit is to hide files or folders, making them invisible to standard anti-spyware or anti-virus software.

Sony-BMG used this very technology in their XCP (Extended Copy Protection) CDs, created by First4Internet. Anti-DRM arguments aside, Sony-BMG found itself in so much hot water was due to several reasons.

First, Sony-BMG never mentioned the extent or scope of the XCP technology in the EULA (the 3,000 word End User Licensing Agreement.) It was never mentioned files or folders would be hidden on one's machine. In addition, according to Sysinternals, when playing a CD on Sony-BMG's proprietary media player, it "...establishes a connection with Sony’s site and sends the site an ID associated with the CD."

Sony-BMG also never mentioned the potential damage caused when removing the rootkit. When Mark Russinovich, the individual who discovered Sony-BMG's rootkit, removed the clandestine software, the CD drive no longer functioned.

On top of all this, Russinovich also pointed out Sony-BMG’s rootkit presented a gapping security hole. Any virus writer could easily create a virus identically named to Sony-BMG's rootkit and take over an untold number of infected machines.

But all of this didn't appear to phase Sony-BMG much. Initially Sony-BMG and First4Internet denied there was security problem (until the first viruses started popping up.) Even when Sony-BMG released their web-based uninstaller, which posed even a greater security risk, security vulnerabilities were still denied. You may recall the following from Sony-BMG's November 2nd statement:

"This component is not malicious and does not compromise security."

Compounding the situation a Sony-BMG president chimed in on the issue. Thomas Hesse, president of Sony-BMG's Global Digital Business, told NPR News "Most people, I think, don't even know what a Rootkit is, so why should they care about it?"

Perhaps at that moment, few people knew or cared about rootkits. But that changed in a matter of days. It was obvious within a two weeks that an enormous public backlash had erupted against Sony-BMG, one that may threaten the very existence of DRM. Seemingly downplaying the issue, Cary Sherman responded to a reports question on whether the RIAA condoned the actions of Sony-BMG.

"The problem with the SonyBMG situation is that the technology they used contained a security vulnerability of which they were unaware. They have apologized for their mistake, ceased manufacture of CDs with that technology, and pulled CDs with that technology from store shelves. Seems very responsible to me. How many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?”

Although Sony-BMG “shared the concerns” and “deeply regret any inconvenience” its customers may have encountered, it never specifically came out with an apology. Sony-BMG never said “We are sorry for our mistake” and never said “We apologize...”

Seems very irresponsible.

This story is filed in these Slyck News categories
Entertainment Industry :: RIAA

You can read the College Presswire transcript here.

You can discuss this article here - 47 replies

© 2001-2019