• United States

And yet more Sony BMG revelations!

Nov 30, 20053 mins
Data CenterIntellectual PropertyMalware

I didn’t think that there would be more to blog about Sony BMG today but I was wrong, oh, so wrong …

According to an article on p2pnet Mikko Hyppönen, research director of F-Sescure, discovered the Sony BMG DRM software at the beginning of October even though the fact was kept secret until blogged by Mark Russinovitch of Winternals Software at the end of October. What is so incredible about this latest revelation is that, 1. Sony made no attempt to handle the issue in a responsible way or, in fact, in any way; and 2. that Hyppönen gave them the benefit of the doubt by assuming that Sony BMG would act on his advice! The first issue can be put down to Sony BMG’s corporate arrogance but the second is disappointing. I wrote to Hyppönen for a comment and here’s our exchange: —————- [mg] I have read that you discovered Sony BMG’s DRM software and told them your doubts about the advisability of using it at the beginning of October. [mh] That’s right. [mg] What I was wondering is why you didn’t go public with the news until Mark Russinovitch blogged his findings? [mh] Simple. We didn’t want to disclose this publicly in fear of virus writers exploiting it. After it became public, it took 9 days for the first malware to come out that used the Sony rootkit to hide itself (Breplibot). Breplibot used it not just to hide from the user but also from almost all of the antivirus programs out there (except us, as we have a rootkit detector in our product). Instead of breaking the story we were trying to convince Sony BMG to act on this before it’s too late. Unfortunately they only acted after the Breplibot trojans were already out. See Breplibot Stinx. —————- While I understand Hyppönen’s thinking don’t we all know that appproach doesn’t work? We have repeatedly seen large companies fail respond to serious security problems in their software so the hope that Sony BMG would step up and address their problem in a timely fashion was optimistic at best. On top of the almost certain knowledge of Sony BMG’s likely inaction there’s also the fact that by the time the public knew that Sony BMG was putting retarded DRM software on their PCs the company had been doing so for about eight months! That was eight months in which the consequences of their software should have become obvious to them unless they just naively put it out to market and forgot about. Surely they couldn’t have been that naive, could they? Nah …


Mark Gibbs is an author, journalist, and man of mystery. His writing for Network World is widely considered to be vastly underpaid. For more than 30 years, Gibbs has consulted, lectured, and authored numerous articles and books about networking, information technology, and the social and political issues surrounding them. His complete bio can be found at

More from this author