Business Week just posted an account of the internal communications among Sony BMG and First4Internet that sheds more light on the XCP rootkit foul-up, including the revelation that F-Secure warned Sony BMG in September that the rootkit existed and described the risk of exploits two weeks before Mark Russinovich went public. This is one of the missing pieces of the hypothetical marketing case that I have said could be written about this fiasco: just what happened inside Sony BMG prior to Russinovich’s opening of Pandora’s box?
The article also contains some more context for Thomas Hesse’s infamous quotation about rootkits:
“[F-Secure’s] e-mail, which we have also reviewed, seems to be about a routine matter,” says [Sony BMG President of Global Digital Business Thomas] Hesse. “While it did introduce the notion of a ‘rootkit,’ it did not suggest that this software was anything but benign.” [emphasis added]
Heh. Really puts that “most people, I think, don’t even know what a rootkit is” comment in context–most people, in this case, means “most people inside Sony BMG, including me and all my Global Digital Business team.”
More seriously, though, the suggestion is that Sony BMG had a very hands off relationship with First4Internet, to the extent that the latter company could have a conference call with an antivirus vendor without anyone from Sony BMG on the line.
Most disturbing is the statement from F-Secure that First4Internet “argued that there was no real problem because only a few people knew of the vulnerability XCP created, and said an update of the XCP software, due out early next year, would fix the problem on all future CDs.” This suggests that First4Internet didn’t understand the first thing about computer security. These are not people you want writing device drivers.