IMAGE: MICHAEL KUPPERMAN

Last November, Sony BMG Music Entertainment was forced to recall millions of CDs in a public relations and computer security disaster. Copy-protection software that the New York City­based music label had incorporated into 52 albums created a back door into PC systems exploitable by viruses and other computer malware. When security researchers in the United States and Finland discovered the problem, Sony BMG's reaction was so bad that it will probably be seen in future years as a textbook example of a botched corporate response.

Early in 2005, Sony BMG began releasing albums equipped with copy-protection software known as XCP, developed by an Oxfordshire, England, company called First 4 Internet Ltd. More than 2.1 million of these CDs were sold.

While the CDs can be played normally on a regular CD player, consumers wishing to play them on a PC must use a proprietary music player, also included on the disk. Using this music player prevents consumers from converting their CDs to MP3 files for play on popular portable digital music devices, such as the iPod, or from uploading the files to peer-to-peer Internet file-sharing networks, where copyright piracy is ubiquitous.

XCP prevents users from bypassing Sony BMG's music player by permanently overriding some functions of the operating system (OS). To conceal these changes, the XCP software uses a technique typically seen only in the employ of black-hat hackers, a so-called rootkit. Rootkits first appeared as stealth viruses in the 1990s, explains Mark Russinovich, the security researcher whose blog entry on 31 October kicked off the public controversy surrounding the XCP software. "A rootkit cloaks the presence of files from security and other software....it's implemented by modifying parts of the OS." says Russinovich. "You can't manage it...you can't even get rid of it."

In XCP's case, when a user first inserts a copy-protected CD into a PC, the user is automatically prompted to install the music player. Installed at the same time is the rootkit, which is designed to hide the existence of any file or folder whose name begins with "$sys$."

The copy-protection software is then hidden in such a folder, and the OS is altered so that when a user tries to access a CD using normal system commands, the request is first passed on to the cloaked software, which checks to see if the CD is supposed to be copy-protected. If it is, the access attempt is blocked; otherwise, the request is passed on to the original OS function that handles reading CDs.

With the rootkit hiding any software that is prefixed by "$sys$," it creates "this huge hole in the system, which could be used by any hacker, any virus writer, to hide anything they want," explains Mikko Hyppönen, chief research officer of F-Secure Corp., a computer security firm based in Helsinki, Finland. Because the XCP software had already been installed in at least hundreds of thousands of computers, F-Secure decided not to make a public announcement when it became aware of the problem in early October for fear of tipping off virus writers.

Hyppönen claims F-Secure presented Sony BMG with its concerns that the rootkit could be used to hide malware on 7 October, but the music label "did nothing concrete until it was on the front page of USA Today."

A Sony BMG insider acknowledges that the label was contacted in early October by F-Secure and says it referred F-Secure to First 4 Internet. But this source claims that security issues were not raised by F-Secure to Sony BMG until mid-October, when it was agreed that F-Secure and First 4 Internet would "work together toward a solution." (First 4 Internet declined to comment.) After Russinovich announced the problem, it took only nine days before F-Secure began seeing malware that exploited the XCP cloak.

Once the story broke, Sony BMG's inexperience with software and security issues showed, when Thomas Hesse, president of global digital business for Sony BMG said on 4 November on National Public Radio's "Morning Edition": "Most people don't even know what a rootkit is, so why should they care about it?"

One party that cares is the U.S. Department of Homeland Security, which includes cybersecurity as part of its portfolio. On 10 November, as reported by the Washington Post, Stewart Baker, assistant secretary for homeland security, made a pointed reference to the Sony BMG protection system, noting that companies need "to remember that it's your intellectual property—[but] it's not your computer." Baker went on to say that "in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need."

Not only the federal government but state courts, too, are concerned. Texas Attorney General Greg Abbott has filed a lawsuit against Sony BMG for violating the state's anti-spyware laws, and several consumer rights organizations and law firms are considering class-action suits.

Sony BMG initially offered consumers a complex multistep process to uninstall the rootkit, but this provoked another round of security and privacy concerns. Finally, Sony declared that it had halted production of XCP-protected CDs and on 18 November offered to exchange XCP CDs for regular CDs.

The details of the exchange program can be found at http://cp.sonybmg.com/xcp. Ironically, the site also offers the option of downloading affected albums in the format the label had been dreading all along—MP3.