Sony BMG's Costly Silence

The label was alerted to the secret, virus-vulnerable software on its CDs long before the scandal broke. Trouble is, it didn't act immediately to alert consumers

For Sony BMG Music Entertainment, it has become a public-relations nightmare -- and it shows no signs of abating. On Oct. 31, computer-systems expert Mark Russinovich posted a message on his blog revealing that Sony BMG had placed anti-piracy software on music CDs that was difficult to detect and that made customers' PCs vulnerable to hacker attacks (see BW Online, 11/17/05, "Sony's Copyright Overreach").

Since then, Sony BMG has been the subject of countless unflattering news reports and has been vilified in the blogosphere. On Nov. 21, Texas Attorney General Greg Abbott filed suit alleging that the label is violating the state's consumer-protection laws, and New York's bulldog attorney general, Eliot Spitzer, also is looking into the matter (see BW Online, 11/29/05, "Spitzer Gets on Sony BMG's Case").

The flap has raised questions as to what Sony BMG knew -- and when the joint venture of Sony (SNE) and Germany's Bertelsmann knew it. Computer-security experts say the company's response is a cautionary tale for other entertainment companies hoping to make use of copyright-protection software.


  Sony BMG is in a catfight with a well-known computer-security outfit that became aware of the software problem on Sept. 30 and notified the music company on Oct. 4 -- nearly a month before the issue blew up. F-Secure, a Finland-based antivirus company that prides itself on being the first to spot new malware outbreaks, says Sony BMG didn't understand the software it was introducing to people's computers and was slow to react.

"If [Sony] had woken up and smelled the coffee when we told them there was a problem, they could have avoided this trouble," says Mikko H. Hypponen, F-Secure's director of antivirus research.

Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers. "We're very, very sorry for the disruption and inconvenience that this has caused to music consumers," says Thomas Hesse, president of Sony BMG's Global Digital Business.

Computer-security experts call Sony BMG's travails a wake-up call for the entertainment industry. The message: Know your technology lest it trip you up. Sony BMG outsourced the job of writing the software to a small British consultancy called First4Internet Ltd. The resulting program, called XCP, made it possible for hackers to hide malicious code in customers' PCs. Security experts say Sony BMG's second mistake was effectively loading the software onto customers' computers without telling them exactly what the software did (see BW Online, 11/29/05, "Rooting Out Sony BMG's Rootkit").


  Some say this episode shows that the recording industry's attempts to use digital-rights management software to stem the tide of piracy is fatally flawed. "Making digital files not copyable is like making water not wet," says Bruce Schneier, chief technology officer at security consulting firm Counterpane Internet Security. "You can't do it. DRM is a desperate attempt to cling to their old business model. They have to figure out how to make money in the new world."

It didn't take a computer scientist with a PhD to sniff out Sony BMG's software glitch. It was spotted by John Guarino, owner of, a two-person PC-repair outfit in midtown Manhattan. Guarino had for months been removing a pesky piece of so-called rootkit software found on clients' PCs. After investigating, he discovered that it was Sony BMG's software. His "Aha!" moment came on Sept. 30 when he loaded a CD by pop singer Amerie onto his laptop computer and confirmed that the offending software came with it.

"This was really bad," he says. "The worst thing you can have on your computer right now is a rootkit, and Sony was installing it on people's computers."

That's when F-Secure got into the act. Guarino sent an e-mail to the Finnish company, since it makes the rootkit-detector software that he used to investigate. F-Secure did its own investigation and notified Sony DADC, which manufactures Sony BMG CDs, on Oct. 4. Sony BMG says the e-mail, which was forwarded to it on Oct. 7, didn't signal a serious security issue. F-Secure said its rootkit-detection software had spotted a potential rootkit in XCP.


  "This e-mail, which we have also reviewed, seems to be about a routine matter," says Hesse. "While it did introduce the notion of a 'rootkit,' it did not suggest that this software was anything but benign."

Nevertheless, Sony BMG asked First4Internet to investigate. Both Sony BMG and F-Secure say that it was on Oct. 17 that F-Secure first spelled out the full scope of the problem to Sony. The security company's report on the matter, sent that day to First4Internet and Sony BMG, confirmed there was a rootkit in XCP and warned that it made it possible for hackers to hide viruses and protect them from antivirus software products. F-Secure referred to XCP as a "major security risk," according to a copy of the e-mail supplied to BusinessWeek Online by F-Secure.

Sony BMG says it asked the two software companies to investigate and find a solution to the problem. "From the moment our people learned that F-Secure had identified a potential problem we contacted our vendor and in no uncertain terms told them you have to get with F-Secure and find out what needs to be done about it," says Daniel Mandil, Sony BMG's general counsel.


  What happened next is in dispute. F-Secure had a conference call with executives of First4Internet on Oct. 20. It says First4Internet argued that there was no real problem because only a few people knew of the vulnerability XCP created, and said an update of the XCP software, due out early next year, would fix the problem on all future CDs.

A person manning the phones at First4Internet's British offices said the company would not comment on the matter, and Sony BMG said it doesn't know what was said during that phone conference, since none of its employees participated.

Next, F-Secure and Sony BMG held their own conference call. F-Secure says Sony BMG didn't seem inclined to do anything about the CDs that were already in circulation. "We told them it was a major security risk," says Santeri Kangas, F-Secure's director of research, who was on the call. "They thought we were silly. They wanted to keep the problem quiet." Sony BMG disputes this account.

"Both of these vendors were put together to create a solution, a patch that would obviously culminate in a public announcement," says Sony BMG spokesman John McKay. Sony BMG planned to fix the glitch as soon as possible and to immediately make available a software patch that customers could download onto their computers to protect their machines from hackers. After Oct. 20, however, F-Secure and First4Internet made little progress because they couldn't agree on the terms of a nondisclosure agreement.


  Meantime, F-Secure decided against going public, but blogger Russinovich, who had found the XCP problem on his own, felt no such restraint. "I felt this was an issue that would be best addressed more quickly and thoroughly if handled in a public forum," he says. "I accomplished what I set out to do, which was raising awareness."

Security experts say within a week of Russinovich's revelations, hackers had produced viruses designed to exploit the software. Sony's patch was available by then, and there have been no reports of a virus outbreak.

Since the blowup, Sony BMG has been analyzing what transpired in search of what it should have done differently. "Right now, we are in the process of reviewing all of these initiatives," Hesse notes.


  "We have taken this matter very seriously and have taken numerous steps, including issuing a software update, and creating and implementing an ambitious exchange program, to reach out to consumers and make this situation right," says McKay.

Sony BMG's response is not likely to satisfy all of its customers -- and certainly not the bloggers who are calling for a consumer boycott. The best lesson that Sony BMG -- and the music industry -- can take away is to be more vigilant when it comes to the software they ask customers to load onto computers.

Before it's here, it's on the Bloomberg Terminal.