Post mortem of a screwup: what happened before Oct 31

Business Week just posted an account of the internal communications among Sony BMG and First4Internet that sheds more light on the XCP rootkit foul-up, including the revelation that F-Secure warned Sony BMG in September that the rootkit existed and described the risk of exploits two weeks before Mark Russinovich went public. This is one of the missing pieces of the hypothetical marketing case that I have said could be written about this fiasco: just what happened inside Sony BMG prior to Russinovich’s opening of Pandora’s box?

The article also contains some more context for Thomas Hesse’s infamous quotation about rootkits:

“[F-Secure’s] e-mail, which we have also reviewed, seems to be about a routine matter,” says [Sony BMG President of Global Digital Business Thomas] Hesse. “While it did introduce the notion of a ‘rootkit,’ it did not suggest that this software was anything but benign.” [emphasis added]

Heh. Really puts that “most people, I think, don’t even know what a rootkit is” comment in context–most people, in this case, means “most people inside Sony BMG, including me and all my Global Digital Business team.”

More seriously, though, the suggestion is that Sony BMG had a very hands off relationship with First4Internet, to the extent that the latter company could have a conference call with an antivirus vendor without anyone from Sony BMG on the line.

Most disturbing is the statement from F-Secure that First4Internet “argued that there was no real problem because only a few people knew of the vulnerability XCP created, and said an update of the XCP software, due out early next year, would fix the problem on all future CDs.” This suggests that First4Internet didn’t understand the first thing about computer security. These are not people you want writing device drivers.

2 Responses to “Post mortem of a screwup: what happened before Oct 31”

  1. Glyn Hotz Says:

    Speaking of which, I bought the DRM “protected” “12 Songs” CDs in Toronto, Canada, near the beginning of this as I was going to issue the class action here and wanted to see the layout on the box. Of course, to no one’s surprise, it’s still available. I also bought “To Love Again” and “on ne change pas.” You’d think there would be some exchange programme in place locally? I had client enquiries from people who even played these at work.

  2. /// CityOfRain /// Says:

    Sony Sucks

    OK, it’s about time I tell everyone out loud. Sony sucks. Don’t take my word for it! Read an excellent round-up by BusinessWeek:

    “This was really bad,” says John …

Leave a Reply

You must be logged in to post a comment.