Sony Plays The Blues As Bloggers Turn Up The Volume - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
06:05 PM
Connect Directly

Sony Plays The Blues As Bloggers Turn Up The Volume

Company halts sales of CDs with content-protection software after complaints

After two weeks of withering criticism from bloggers and others, Sony BMG Music Entertainment last week found itself forced to stop selling some 50 CD titles with its Extended Copy Protection content-protection software, remove the discs from stores, and offer replacements without copy protection to customers.

Sony issued an apology on its Web site, citing security concerns raised by installation of the XCP software, provided--as Sony was quick to point out--by digital-rights-management vendor First4Internet Ltd.

"We share the concerns of consumers regarding these discs," the company said in a statement. Sony instructed retailers to remove unsold CDs with XCP software from their store shelves and inventory. But the trouble isn't over: The company faces charges of deceptive advertising, illegal spyware distribution, and computer crimes in three lawsuits.

Since Oct. 31, when security researcher Mark Russinovich first posted on his blog that Sony's music CDs surreptitiously installed digital-rights-management software based on a rootkit--software often synonymous with spyware--bloggers of all stripes, from seasoned security experts to aggrieved consumers, fumed about the record company's unethical and possibly illegal behavior.

Thomas Hesse, president of Sony BMG's Global Digital Business, attempted at first to downplay the controversy. "Most people, I think, don't even know what a rootkit is, so why should they care about it?" he said, in a Nov. 4 interview with National Public Radio. The software, Hesse explained, was designed to protect Sony's CDs from unauthorized copying and ripping.

Two days earlier, Sony tried to mollify critics by offering an update that removed what it called "the cloaking technology component" of XCP. The notes to that update state the component was "not malicious and does not compromise security." That may be true, but another component, the uninstaller provided by Sony to remove the XCP software, did compromise security, and bloggers were quick to jump on that, too.

Defensive Stance
The music industry has been torn between protecting its assets and not alienating the public. At a music industry conference in San Diego last summer, Recording Industry Association of America CEO Mitch Bainwol presented findings by market-research firm NPD Group that suggested ripping songs--copying them to a computer from a CD--has come to represent a revenue threat that's at least as significant as illegal peer-to-peer file trading.

Security-software companies and Microsoft are responding to the Sony problem with tools to detect and remove the rootkit, which might be found in business environments if employees played the Sony CDs on office PCs. Microsoft plans to update its Windows AntiSpyware software and Windows Live Safety Center, a free, online antivirus service, to dig out the rootkit. Next month, Microsoft also will add the Sony rootkit to the worms, Trojans, and viruses detected and deleted by Windows Malicious Software Removal Tool, which is updated the second Tuesday of each month.

The incident isn't comparable to a virus attack in terms of impact, according to Graham Cluley, senior technology consultant with security company Sophos plc. "Sony's code wasn't intentionally malicious, but did open up a security hole on users' computers which could be exploited by malware," Cluley says via E-mail.

But the rootkit is by no means benign. It can be used by attackers to hide malicious code, and at least two Trojan horses for that purpose already have been spotted. "Rather than malware," says Cluley, "I would term this as 'ineptware.'"

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Diversity in IT: The Business and Moral Reasons
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  6/20/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Flash Poll