Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Facing the Music
Despite the warnings from F-Secure in late October, Sony BMG was surprised by the controversy. Indeed, for days after Russinovich’s analysis hit the news, company executives showed little understanding of the fury it was arousing in the hearts of many of its customers. “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” Sony BMG’s Hesse said in an interview with National Public Radio on November 4.

But for the owners of the more than two million XCP-protected discs sold by Sony BMG between January and November, the reports came as a shock. Security flaws in commercial software are common; Microsoft’s products, for example, are so widely used that even the tiniest bug will eventually be discovered and exploited by a malware author, so the software giant publishes updates and patches on a monthly basis. But no software or media company of the stature of Sony BMG had ever distributed a program that, in the judgment of security experts, was deliberately designed to mimic malware.

Sony BMG did not immediately apologize but did try to solve the problem. Its first step, in early November, was to publish a Web-based program that customers could use to remove XCP from their systems. The move didn’t help matters. Matti Nikki in Finland discovered that a file that the uninstaller placed on a user’s computer to facilitate communication with Sony BMG’s servers could later be exploited by any website that wanted to send and execute malicious code. The uninstaller posed “a far greater security risk than even the original Sony rootkit,” according to Felten and Halderman, who verified Nikki’s discovery on November 15 in their widely followed blog, Freedom to Tinker.

A few days later, Sony BMG replaced the Web-based uninstaller with a safer, downloadable one. And gradually, the company seemed to recognize the scope of the public-relations disaster it faced. On November 11, Sony BMG announced that it would stop manufacturing music CDs with XCP. On November 14, the company said it regretted the inconvenience it had caused its customers and announced an exchange program to replace XCP–protected discs with new ones without the rootkit.

According to media reports, consumers had purchased 2.1 million of the copy-protected CDs. How many of these customers actually played the CDs on their computers, thus unwittingly installing the rootkit, is not clear. But Dan Kaminsky, an independent security researcher in Seattle, discovered evidence linking Sony’s rootkit to hundreds of thousands, if not millions, of systems across 131 countries. He calls that number “enormous,” especially when compared with figures for the spread of Internet worms and viruses. Kaminsky posted the statistics on his website,, along with world maps showing the locations of affected networks.

Sony BMG, meanwhile, tried to respond to the specific worries raised by Russinovich, Kaminsky, and others. In a November 18 letter to the Electronic Frontier Foundation, which had earlier published its own open letter criticizing Sony BMG’s handling of the XCP episode, Sony counsel Jeffrey Cunard said that the company would never disclose the Internet addresses collected when XCP phoned home and that, in any case, these addresses were never associated with personally identifiable information. He also said that Sony BMG would be more careful in the future about evaluating copy-protection software and the EULAs that come with it. “Any present and future copy protection tech-nology used by Sony BMG will be tested, verified, and disclosed to consumers,” Cunard wrote.

Sony BMG representatives contacted by Technology Review in March and April would not name the executives responsible for licensing XCP from First 4 Internet or releasing the copy-protected discs, and they declined to make executives available for interviews. However, Cory Shields, director of the company’s communications office, said it was never Sony BMG’s intention to include software that caused security concerns on its compact discs. “The company’s intent was to deliver a technology that was consumer friendly, that would let people pursue the functionality that they wanted,” Shields said. “It certainly wasn’t the company’s intent to create a problem.”

7 comments. Share your thoughts »

Tagged: Business

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me