Sony, the rootkit and the internet community

No matter which internet page you open these days you are guaranteed to find at least one article mentioning the Sony rootkit affair. Instead of providing you with the latest news on the case customer vs. Sony BMG I´d like to analyze an interesting aspect of it.

In the beginning, there was one guy, who found out about the rootkit software, analyzed it in depth and wrote an entry on his blog named Mark's Sysinternals Blog which is a well frequented site. Then the ball got rolling, the news was copied and commented on other sites, big portals like slashdot and digg had articles that soon became the most popular ones for the day.

The news spread like fire throughout the world wide web, people from all over the world read the news. It was soon clear that there were only a few who supported Sony's move, the majority was clearly against it.

News got worse for Sony the following day when Mark identified additional "features" of the application. First, the rootkit software was phoning home to Sony. Second, it was almost impossible for the average user to uninstall it. Third, the rootkit had a cloaking ability that other executable files could use to hide inside, a perfect hiding place for malicious software.

Sony's reaction was to provide an update to the rootkit software that disabled the cloaking feature. Unfortunately it was again almost impossible for the average user to find the uninstaller on their webpage. Still, Sony in its shining glory denied that the rootkit posed a security threat and that most users didn't care whether a rootkit was installed on their system. The patch unfortunately had the nasty habit to crash windows on some machines.

The internet community created lists of CDs that contained the software, boycott websites went into existence and had to deal with a massive amount of visitors who were looking for information or wanted to join the boycott.

With lots of News Coverage from respected institutes like BBC, Sony presented a statement on Monday that they would cease the production of music Cd's containing First 4 Internet's XCP technology, for now.

Yesterday Dan Kaminsky presented the first figures of rootkit infections analyzing the rootkits phone home traces in the dns cache of nameservers. This lead to the conclusion that at least half a million networks are infected with it. He created a graphic showing infections on a map of North America.

Today Sony finally announced that it would institute an exchange program for already purchased CDss and pull the rest from the market.

Now, what conclusion can we draw from this? It's pretty obvious to me that Sony underestimated the "power" of the internet community. From a single website the story spread into the whole world in no more than one day. It became so popular that big internet portal sites like wired.com, cnn.com and theregister.co.uk reported on it. The traditional media became aware and soon the story was also making headlines in newspapers, radio shows and even television.

Sony: 0
Internet Community: 1

What I learn from this? We have a tremendous power in our hands and can use it to force even multinational corporations to yield. And countries? That question remains to be answered.

Advertisement