One single blog posting in late October succeeded in shaking the reputation of a major record label, notifying the world of the threat of rootkits and turning the music piracy debate upside down.
The saga began when a software developer called Mark Russinovich purchased a CD by Van Zant and played it on his computer.
When he first inserted the music disk, a window popped up informing him that playing the CD required a special player application. But on clicking 'I agree' the application installed more than just a player.
It also copied digital rights management software and a so-called rootkit to his system that would hide the software and prevent uninstalling.
Russinovich found out that the entire software suite was cooked up by a firm called First 4 Internet and is marketed as XCP. He published his findings in a blog posting that was soon picked up by news media world wide.
As more people scrutinised the XCP technology, it turned out that First 4 Internet had created a monster. The cloaking technology did not just hide the software from the user, but from Windows and virus filtering software.
A worm or piece of spyware could easily use the cloaking technology to dodge detection by security software. XCP was identified as a serious security vulnerability.
"Sony's motives are reasonable from its point of view, but it is a terrible security hole," Roger Thompson, chief executive at security provider Worm Radar, told vnunet.com.
"The risk is that [worms] now have a place to hide things where antivirus programs cannot see them. They can tuck themselves in under the protection of the rootkit."
Security experts at F-Secure quickly backed up Russinovich's claims. It would later turn out that the firm had started investigating the XCP rootkit in the summer and had been talking to First 4 Internet and Sony BMG about the security risks.
The process, however, was painstakingly slow and had stalled by the time Russinovich published his blog posting.
Following the public outrage, Sony BMG announced that it would issue a patch to consumers who wanted to remove the software from their systems.
But the label refused to issue a list of CDs that were affected by XCP. And the patch was hard to come by, requiring consumers to register with Sony BMG before receiving the software.
Although Sony BMG had been informed of the full scope of the security implications, the firm maintained that the technology "does not compromise security".
In a rare public appearance Sony BMG's president of digital business tried to cage the dogs.
"Most people don't even know what a rootkit is, so why should they care about it?" he said in a radio interview with the National Public Radio a week after the blog publications.
But ridiculing the critics only made things worse for Sony. F-Secure led the efforts to condemn the record label.
"I think that record companies should stop playing with rootkits and other 'black hat' techniques [before they] cause major grief to the customers," Jarno Niemela, a researcher at F-Secure's laboratory, warned on the F-Secure blog.
In the following days reputable security companies including Computer Associates and Symantec lined up against Sony, labelling XCP as a "trojan" and creating software to help consumers rid their systems of the pest.
And then, 10 days after the initial blog posting, the doom scenario became reality. Antivirus vendors detected the first internet worm on 10 November that made an attempt to use XCP cloaking technology.
The worm was poorly engineered and failed to cause any actual harm, but Sony finally woke up to the danger. The next day the record label promised to abandon XCP. It also published a list of 52 "infected" CD titles and launched a consumer exchange programme.
But the label's worries even then were far from over. The Texas attorney general has since launched an investigation into Sony's actions, alleging that the label violated local anti-spyware legislation. If found guilty, the label could end up paying $100,000 per violation.
Consumer advocacy group the Electronic Frontier Foundation has also started legal procedures in the US and Italy.
First 4 Internet, meanwhile, was accused of stealing open source software to use in the XCP technology.
As consumers kept calling for an all-out boycott of Sony, the company once again jeopardised the security of its customers.
A tool that aimed to remove XCP from infected systems was found to contain security bugs. And it soon transpired that another Sony anti-piracy technology contained security vulnerabilities that weren't removed properly either.
Sony BMG's anti-piracy initiative was intended to put an end to illegal copying, but it succeeded in doing the exact opposite. The crisis around its DRM technology had alienated the group of consumers who purchased perfectly legal hard copies of CDs.
In the end little real damage was done to consumers, as there are no known cases of hackers or worms which have succeeded in exploiting any of the many holes in Sony's technology. But the image of Sony BMG has been tarnished for years to come.
Courtesy : Tom Sanders, vnunet
The saga began when a software developer called Mark Russinovich purchased a CD by Van Zant and played it on his computer.
When he first inserted the music disk, a window popped up informing him that playing the CD required a special player application. But on clicking 'I agree' the application installed more than just a player.
It also copied digital rights management software and a so-called rootkit to his system that would hide the software and prevent uninstalling.
Russinovich found out that the entire software suite was cooked up by a firm called First 4 Internet and is marketed as XCP. He published his findings in a blog posting that was soon picked up by news media world wide.
As more people scrutinised the XCP technology, it turned out that First 4 Internet had created a monster. The cloaking technology did not just hide the software from the user, but from Windows and virus filtering software.
A worm or piece of spyware could easily use the cloaking technology to dodge detection by security software. XCP was identified as a serious security vulnerability.
"Sony's motives are reasonable from its point of view, but it is a terrible security hole," Roger Thompson, chief executive at security provider Worm Radar, told vnunet.com.
"The risk is that [worms] now have a place to hide things where antivirus programs cannot see them. They can tuck themselves in under the protection of the rootkit."
Security experts at F-Secure quickly backed up Russinovich's claims. It would later turn out that the firm had started investigating the XCP rootkit in the summer and had been talking to First 4 Internet and Sony BMG about the security risks.
The process, however, was painstakingly slow and had stalled by the time Russinovich published his blog posting.
Following the public outrage, Sony BMG announced that it would issue a patch to consumers who wanted to remove the software from their systems.
But the label refused to issue a list of CDs that were affected by XCP. And the patch was hard to come by, requiring consumers to register with Sony BMG before receiving the software.
Although Sony BMG had been informed of the full scope of the security implications, the firm maintained that the technology "does not compromise security".
In a rare public appearance Sony BMG's president of digital business tried to cage the dogs.
"Most people don't even know what a rootkit is, so why should they care about it?" he said in a radio interview with the National Public Radio a week after the blog publications.
But ridiculing the critics only made things worse for Sony. F-Secure led the efforts to condemn the record label.
"I think that record companies should stop playing with rootkits and other 'black hat' techniques [before they] cause major grief to the customers," Jarno Niemela, a researcher at F-Secure's laboratory, warned on the F-Secure blog.
In the following days reputable security companies including Computer Associates and Symantec lined up against Sony, labelling XCP as a "trojan" and creating software to help consumers rid their systems of the pest.
And then, 10 days after the initial blog posting, the doom scenario became reality. Antivirus vendors detected the first internet worm on 10 November that made an attempt to use XCP cloaking technology.
The worm was poorly engineered and failed to cause any actual harm, but Sony finally woke up to the danger. The next day the record label promised to abandon XCP. It also published a list of 52 "infected" CD titles and launched a consumer exchange programme.
But the label's worries even then were far from over. The Texas attorney general has since launched an investigation into Sony's actions, alleging that the label violated local anti-spyware legislation. If found guilty, the label could end up paying $100,000 per violation.
Consumer advocacy group the Electronic Frontier Foundation has also started legal procedures in the US and Italy.
First 4 Internet, meanwhile, was accused of stealing open source software to use in the XCP technology.
As consumers kept calling for an all-out boycott of Sony, the company once again jeopardised the security of its customers.
A tool that aimed to remove XCP from infected systems was found to contain security bugs. And it soon transpired that another Sony anti-piracy technology contained security vulnerabilities that weren't removed properly either.
Sony BMG's anti-piracy initiative was intended to put an end to illegal copying, but it succeeded in doing the exact opposite. The crisis around its DRM technology had alienated the group of consumers who purchased perfectly legal hard copies of CDs.
In the end little real damage was done to consumers, as there are no known cases of hackers or worms which have succeeded in exploiting any of the many holes in Sony's technology. But the image of Sony BMG has been tarnished for years to come.
Courtesy : Tom Sanders, vnunet