Sony Rootkitting: How It Happened

sonyrootkit.gif Here’s a paper about Sony and the Rootkit:

While Sony BMG’s customers first became aware of the dangers posed by the rootkit through media reports following Russinovich’s October 31 announcement, the company was on notice that its product contained a rootkit, at the very least, four weeks earlier.12 Finnish anti-virus software developer F-Secure contacted Sony BMG on October 4, 2005, alerting it to the presence of the rootkit.13 Of course, First4Internet, as the developer that chose to incorporate the rootkit into its design, necessarily knew of its presence from the outset.


Yet Sony apparently thought that they could still sneak a rootkit onto CDs its customers paid for. The customers knew better, because Amazon reviews told them, and sales CDs plumetted as soon as rootkit-infested versions were issued.

This maybe illustrates three points:

  1. It’s not nice to treat your customers like enemies.
  2. On the Internet, the customers will find out and your sales will suffer.
  3. Traditional security breach management does not good; even though F-Secure didn’t tell the public, somebody else did, and that’s a good thing.

The paper tries to reconstruct not only what happened, but why Sony did such a stupid and self-damaging thing. The paper sets forth two main options. it was an accident; Sony didn’t understand the effects of what it was doing. Or Sony thought it understood and thought it had calculated profit from it. Either way, Sony grossly undervalued the value of privacy and security to its customers. The second explanation would in addition indicate that Sony thought it could sneak crippled and actively malicious software onto its users computers without the users knowing. Which of course makes it a special case of the first option, since the second option requires that Sony didn’t understand that one effect would be the users would find out and would vote with their pocketbooks.

Meanwhile, Sony still doesn’t get it that its customers aren’t its enemies; a Sony executive admitted in October that the RIAA lawsuit campaign is costing the record industry millions of dollars net, yet Sony keeps supporting it.

The dinosaur record industry keeps digging its own grave. I wonder what other industries will go the same way because they don’t adequately value security and privacy?


Seen on How Sony BMG lost its mind and rootkitted its CDs — prepublication law paper, Posted by Cory Doctorow, BoingBoing, December 17, 2007 2:36 AM.