Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Sony BMG Music Entertainment’s decision to include covert and potentially dangerous software on millions of its compact discs taught us two painfully important lessons: that people have placed too much faith in the safety of commercially distributed software and that the tools for protecting computers from malicious “rootkit” applications have been inadequate.

As the music and movie industries continue to put legal pressure on file-trading networks such as Kazaa and individual violaters, Sony BMG Music Entertainment made the decision to try to thwart file-sharing at the head of the problem: on the CD. To do that, the company included a software program called the Extended Copy Protection (XCP), a digital rights management (DRM) application developed by First4Internet. Among other problems, it caused a security hole to open that enabled other virus writers to covertly install malicious applications. Unlike a virus that propagates exponentially from system to system, and quickly draws attention, such “rootkit” applications often fly under the radar.

Making matters worse, consumers are understandably much less wary of commercial software than files they download or that are included as e-mail attachments. So it’s not surprising that the discovery of Sony’s placement of software containing a security vulnerability was inadvertent.

Windows expert Mark Russinovich was one of millions of music fans who purchased a CD from a SonyBMG artist and listened to it on his computer – never imagining he was opening up a gaping security hole on his PC. It was only months after Russinovich first listened to a Van Zant brothers CD that he realized the CD had damaged his computer.

“The problem is that software coming from an established company like Sony will always be trusted by the consumer,” says Russinovich, “even if they had software that popped up a warning that a driver was being installed, most [people] would likely allow it.”

Russinovich posted his discovery of the unwanted “rootkit” software on his blog, along with the explanation of how it outsmarted the existing antivirus and spyware software. Since then, Russinovich has completed a free utility that identifies rootkits. But he acknowledges on his website that there will never be a universal rootkit scanner.

Even computer security companies have been naïve, though, in not closely scrutinizing commercial software for code that opens security holes. “We had not looked at this particular technology before,” says Vincent Weafer, senior director of Symantec Security Response. The XCP software is not a virus itself, he says, but rather opens security holes that can be exploited.

“[There is a] difference between malicious code, as opposed to technology that can be used for malicious purposes,” Weafer says. But hackers were quick to jump on the security risk. Weafer says a virus that exploits the XCP vulnerability called “Backdoor.Ryknos” was identified by Symantec on November 10, and the company posted a removal tool.

And within two weeks, Symantec will be updating its antivirus products to identify rootkits.

However, the cat-and-mouse game played by security companies and virus writers had a twist this time: antivirus companies were slow to create utilities to remove the Sony software – out of fear of violating the Digital Millennium Copyright Act, according to security expert Dan Kaminsky. He says creating new software to remove DRM software is a violation of the DMCA, forcing antivirus companies to create patches that eliminate the software’s dangerous behavior, but do not remove it.

3 comments. Share your thoughts »

Tagged: Computing

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me