30 November 2005 Blog Home : November 2005 : Permalink
Spitzer's office dispatched investigators who, disguised as customers, were able to purchase affected CDs in New York music retail outlets -- and to do so more than a week after Sony BMG recalled the disks. The investigators bought CDs at stores including Wal-Mart (WMT), BestBuy (BBY), Sam Goody, Circuit City (CC), FYE, and Virgin Megastore, according to a Nov. 23 statement from Spitzer's office.
...
MORE PRESSURE. "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year," Spitzer said in a written statement. "I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony."
This is not good and means that Sony has problems in the three of the most important US states: Texas, California and New York. Of course it isn't just Sony that is hurting, the artists whose CDs were afflicted with the root scheme are losing sales too:Sony BMG had promised the CD would be swapped out with non-rootkit CDs. Instead, the rootkit CDs simply were pulled, Schilling says. "It's obviously very bothersome," he says.
"HARMING THE ARTIST." That means Van Zant's CD and others were not on the shelves for the busiest shopping weekend of the year. Sony BMG has told Van Zant to expect a 50% to 80% decrease in sales when the new numbers come out on Nov. 30. That's in a week that should have seen a 50% to 80% increase in sales. The week of Nov. 9 to 16, Van Zant's sales actually jumped a point, a spurt Schilling attributes to exposure from the Country Music Awards.
Now that retailers are pulling the CD, there's potential for a 50,000- to 60,000-unit loss, Schilling says. "I believe they [Sony] went in with good intentions, but it turned into an unprecedented situation," Schilling says. "It certainly is harming the artist.... There's going to have to be some commitment made on Sony's side to their artists." To say nothing of the assurances Sony BMG may need to make to consumers and a couple of states' attorneys general.
BTW I can't help noting that Mr Schilling seems to be using understatement in a terribly British fashion - one wonders whether "very bothersome" was not originally spiced up a little....That's when F-Secure got into the act. Guarino sent an e-mail to the Finnish company, since it makes the rootkit-detector software that he used to investigate. F-Secure did its own investigation and notified Sony DADC, which manufactures Sony BMG CDs, on Oct. 4. Sony BMG says the e-mail, which was forwarded to it on Oct. 7, didn't signal a serious security issue. F-Secure said its rootkit-detection software had spotted a potential rootkit in XCP.
CONFLICTING ACCOUNTS. "This e-mail, which we have also reviewed, seems to be about a routine matter," says Hesse. "While it did introduce the notion of a 'rootkit,' it did not suggest that this software was anything but benign."
Nevertheless, Sony BMG asked First4Internet to investigate. Both Sony BMG and F-Secure say that it was on Oct. 17 that F-Secure first spelled out the full scope of the problem to Sony. The security company's report on the matter, sent that day to First4Internet and Sony BMG, confirmed there was a rootkit in XCP and warned that it made it possible for hackers to hide viruses and protect them from antivirus software products. F-Secure referred to XCP as a "major security risk," according to a copy of the e-mail supplied to BusinessWeek Online by F-Secure.
Note the sentence I have bolded. Anyone who can state with a straight face that a "rootkit" is "benign" is clearly unaware of some farily basic security points. I'm sure that F-Secure's initial contact was polite and did not stress the danger because I'm sure that F-Secure assumed (obviously incorrectly) that Sony understood why rootkits are bad things. It is sort of like a car magazine sending an email to GM saying that they have discovered that while driving a GM car that the door opens when the car goes around the corner. Further evidence that Sony BMG should not be left in the same room as a computer follows:Next, F-Secure and Sony BMG held their own conference call. F-Secure says Sony BMG didn't seem inclined to do anything about the CDs that were already in circulation. "We told them it was a major security risk," says Santeri Kangas, F-Secure's director of research, who was on the call. "They thought we were silly. They wanted to keep the problem quiet." Sony BMG disputes this account.
Since the blowup, Sony BMG has been analyzing what transpired in search of what it should have done differently. "Right now, we are in the process of reviewing all of these initiatives," Hesse notes.
I think lesson one would be learn what a computer is and go on a few computer security courses and lesson two boils down to stop treating your customers as if they are criminals and maybe you'll get some loyalty. Lesson three is that if someone reports a problem you immediately figure out how to fix it and, if it is because of a third party vendor, you have daily update calls to keep informed of the status.Do other companies put this kind of spyware on your computer?
I'm afraid so. Reputable companies don't, but not all companies are reputable. The worst offenders that I know of are the suppliers of clients for peer-to-peer file sharing networks such as KaZaA.