SONY BMG can take two lessons from its recent wayward attempt to fend off digital piracy: One, in a world of technology-astute bloggers, it's not easy to get away with secretly infecting your customers' computers with potentially malicious code. And two, as many a politician has learned, explaining your own screw-up badly is often worse than the screw-up itself.
Or as Wired News put it, "The Cover-Up Is the Crime."
It all started on Halloween, when Mark Russinovich, a computer security researcher, discovered that the antipiracy software that a Sony BMG CD had installed on his machine was based on a "rootkit." Rootkits are often used by malicious hackers to disguise spyware, malware and other nasty stuff. Removing one can do damage, even destroying an operating system. Mr. Russinovich posted his tale on his blog, sysinternals.com/blog, and the pile-on commenced.
Sony BMG responded by offering a piece of software it said would remove the rootkit, but at the same time said the rootkit was "not malicious and does not compromise security." Thomas Hesse, president of Sony BMG's Global Digital Business, went on National Public Radio to say that "most people, I think, don't even know what a rootkit is, so why should they care about it?"
Cory Doctorow on boingboing.net wrote: "What petulant jerks. Look, Sony, you got caught sleazing your customers' computers. Telling us that it wasn't so bad is just infuriating and insulting. An apology would have been better received."
Things grew worse for Sony BMG. The company angered many music fans with its complicated uninstall process, which required them to disclose their e-mail addresses and make multiple visits to sonybmg.com. (Several days later, researchers at Princeton asserted that the removal tool itself left computers vulnerable to attack, prompting Sony BMG to remove it temporarily.)
Advertisement Continue reading the main story
Antivirus companies said they had detected malicious software on the Internet that was aimed at the vulnerability created by the rootkit. Dan Goodin, a Wired News columnist, called for a boycott of Sony BMG.
Please verify you're not a robot by clicking the box. Invalid email address. Please re-enter. You must select a newsletter to subscribe to. Sign Up Receive occasional updates and special offers for The New York Times's products and services. Thank you for subscribing. An error has occurred. Please try again later. View all New York Times newsletters.
This week, Sony BMG relented, somewhat, and announced a recall of all rootkit-containing CD's, in exchange for "clean" ones. Mr. Doctorow, less than impressed, called Sony BMG's statement "a non-apology apology."
PIRATE FIGHTERS -- Companies like Apple and Microsoft that offer downloadable music are also doing their part to make life tough for customers -- by employing proprietary digital rights management schemes, Adam L. Penenberg writes in Slate (slate.com). What the world needs, Mr. Penenberg says, is a universal standard so that any song downloaded from any service can be played on any device. "Neither Apple nor Microsoft is hurt by music piracy," he writes. "Instead, they use it as a marketing ploy to force people to use their products. It doesn't have to be this way."
BIZ-BLOG GUIDE -- "No self-respecting industry these days is without a must-read blog," says The Wall Street Journal, which asked reporters to compile a list of 20 industry-specific blogs -- from paidcontent.org, which mixes commentary and links with original reporting, to adrants.com, which offers short, pithy, sometimes biting commentary on the ad game. There are, of course, thousands more where that came from. But we've got you covered there.
I.M. THIS -- America Online arbitrarily decided that its Instant Messenger users should have bots in their buddy lists: Meet Moviefone and ShoppingBuddy, whether you want to or not. The bots, which users can "talk to" to get information, announced themselves via an instant message on Wednesday. Users who find them obnoxious are forced to delete them from their buddy lists. A blogger named Luke the Obscure decided to try out Moviefone, but found it infuriating. Their bizarre conversation ("I will crush you," says Luke. "Excellent," says the bot.) can be found at passivereactive.blogspot.com. DAN MITCHELL
WHAT'S ONLINE Complete links are at nytimes.com/business.; E-mail: [email protected].
iHaveAgency on April 12nd, 2017 at 18:52 UTC »
I will never forget reading the original blog post that started that furor. I got in on the ground floor for that story.
I actually went and bought one of those CD's, because I wanted to see for myself. It was Van Zant's Get Right With the Man. I had an extra PC laying around, so I put the CD in and let 'er rip.
That was an eye-opening experience, lemme tell ya.
Once that root-kit was installed, you could hide any file, device, port or other resource simply by renaming it so that it's name began with "$sys$". The file (or registry key - whatever) would be completely hidden from the user and all front-facing parts of the OS, which was Windows XP in my case. You could no longer find it, edit it or delete it. You could no longer prove the file (or Registry Key) existed - but it did, and it could do real damage without your timely detection.
What most people miss about this attack against global civil society (that's what it was, folks) is that it made it SIMPLE for untalented teen hackers to make viruses etc. that no virus scanner would be able to detect. That was the real crime, along with the fact that no one went to jail. Or to trial.
idreamofpikas on April 12nd, 2017 at 14:58 UTC »
I don't think I actually knew what a rootkit was until this story broke a decade ago.
TooShiftyForYou on April 12nd, 2017 at 14:57 UTC »
Thomas Hesse, president of Sony BMG's Global Digital Business, went on National Public Radio to say that "most people, I think, don't even know what a rootkit is, so why should they care about it?"
Whoops!