Print
Discuss
Send to friend
RSS feeds
One single blog posting in late October succeeded in shaking the reputation of a major record label, notifying the world of the threat of rootkits and turning the music piracy debate upside down.
The saga began when a software developer called Mark Russinovich purchased a CD by Van Zant and played it on his computer.
When he first inserted the music disk, a window popped up informing him that playing the CD required a special player application. But on clicking 'I agree' the application installed more than just a player.
It also copied digital rights management software and a so-called rootkit to his system that would hide the software and prevent uninstalling.
Russinovich found out that the entire software suite was cooked up by a firm called First 4 Internet and is marketed as XCP. He published his findings in a blog posting that was soon picked up by news media world wide.
As more people scrutinised the XCP technology, it turned out that First 4 Internet had created a monster. The cloaking technology did not just hide the software from the user, but from Windows and virus filtering software.
A worm or piece of spyware could easily use the cloaking technology to dodge detection by security software. XCP was identified as a serious security vulnerability.
"Sony's motives are reasonable from its point of view, but it is a terrible security hole," Roger Thompson, chief executive at security provider Worm Radar, told vnunet.com.
"The risk is that [worms] now have a place to hide things where antivirus programs cannot see them. They can tuck themselves in under the protection of the rootkit."
Security experts at F-Secure quickly backed up Russinovich's claims. It would later turn out that the firm had started investigating the XCP rootkit in the summer and had been talking to First 4 Internet and Sony BMG about the security risks.
The process, however, was painstakingly slow and had stalled by the time Russinovich published his blog posting.
Following the public outrage, Sony BMG announced that it would issue a patch to consumers who wanted to remove the software from their systems.
But the label refused to issue a list of CDs that were affected by XCP. And the patch was hard to come by, requiring consumers to register with Sony BMG before receiving the software.
Although Sony BMG had been informed of the full scope of the security implications, the firm maintained that the technology "does not compromise security".
In a rare public appearance Sony BMG's president of digital business tried to cage the dogs.
del.icio.us
Digg this
reddit!
