[ISN] Spitzer Gets on Sony BMG's Case

From: InfoSec News (isn@private)
Date: Tue Nov 29 2005 - 22:29:19 PST


http://www.businessweek.com/technology/content/nov2005/tc20051128_573560.htm

By Arik Hesseldahl
NOVEMBER 29, 2005

New York's Attorney General has turned his attention to Sony BMG's 
copyright-protection fiasco

Sony BMG Music Entertainment is getting a lot of unwanted attention
for its use of copyright-protection software that left CD users open
to computer viruses. It began with the bloggers, who shed light on the
matter, and has spread to the scads of consumers who have used the
Internet to urge a boycott of Sony BMG CDs.

A Homeland Security Dept. official has weighed in, accusing Sony BMG
of undermining computer security. And Texas Attorney General Greg
Abbott has alleged, in a suit filed Nov. 21, that Sony BMG violated
his state's antispyware laws. Now, the Sony BMG debacle has drawn the
scrutiny of New York Attorney General Eliot Spitzer.

BUYER, BEWARE.  Spitzer's office dispatched investigators who,
disguised as customers, were able to purchase affected CDs in New York
music retail outlets -- and to do so more than a week after Sony BMG
recalled the disks. The investigators bought CDs at stores including
Wal-Mart (WMT ), BestBuy (BBY ), Sam Goody, Circuit City (CC ), FYE,
and Virgin Megastore, according to a Nov. 23 statement from Spitzer's
office.

Sony BMG says it shipped nearly 5 million CDs containing the software,
of which 2.1 million had been sold. The company says 52 individual
titles are affected.

Spitzer's office urged consumers not to buy the disks, and if they do
buy them, not to play them in computers. The disks should be returned
to the place of purchase for a refund, Spitzer advises.

MORE PRESSURE.  "It is unacceptable that more than three weeks after
this serious vulnerability was revealed, these same CDs are still on
shelves, during the busiest shopping days of the year," Spitzer said
in a written statement. "I strongly urge all retailers to heed the
warnings issued about these products, pull them from distribution
immediately, and ship them back to Sony."

Sony BMG spokesman John McKay says the company has "commenced a
mail-in exchange program and is committed to getting all copies of the
52 affected titles off store shelves. We appreciate the attorney
general's reinforcement of our efforts, and on Wednesday [Nov. 23] we
sent a follow-up message to remind them to remove XCP
content-protected CDs from their inventory." A spokeswoman for
Wal-Mart did not return a call seeking comment. A Best Buy spokesman
said the company has instructed its stores to remove the CDs from
stock and to provide exchanges to customers.

Attention from the aggressive New York attorney general adds to
pressure on Sony BMG to resolve a fiasco that came to the public's
attention on Oct. 31, when computer-systems expert Mark Russinovich
posted a message on his blog revealing that Sony BMG had placed
antipiracy software on music CDs that made customers' PCs vulnerable
to hacker attacks (see BW 11/17/05, "Sony's Copyright Overreach" [1]).

SEEKING FINES.  Sony BMG programmed the disks with a software-code set
known as a rootkit that secretly installs itself onto a PC's hard
drive when the CD is loaded. And computer-security experts have raised
questions over whether Sony BMG, a venture of Sony (SNE ) and
Germany's Bertelsmann AG, could have known about the rootkit sooner
(see BW Online, 11/29/05, "Sony BMG's Costly Deafness" [2]).

Spitzer's consumer warning came days after Texas Attorney General
Abbott filed the suit against the company in Travis County, Texas.  
Abbott is seeking fines against Sony BMG of $100,000 per violation. A
spokesman for Spitzer's office in New York City declined to comment on
the attorney general's plans beyond the consumer warning, other than
to say the office is "looking into" the matter.

In April, Spitzer's office had brought suit against Intermix Media, a
Los Angeles-based firm. The suit followed a six-month investigation
that culminated in allegations that Intermix had installed advertising
software on home computers without having given those consumers ample
notice. Intermix agreed to settle the suit and was required to pay
$7.5 million. The company also had to accept a ban on the distribution
of adware programs in the future.

In July, Spitzer secured a $10 million settlement from Sony's Sony BMG
Music Entertainment record label to settle a probe into an alleged
"payola" scheme. Spitzer's office said in July that it had uncovered
evidence that the label had offered inducements, expensive gifts, and
expensive travel packages to get music played on the radio.

SALES DRAG.  Meanwhile, the rootkit blunder continues to inspire
consumer outrage and affect sales of artists who produced the affected
CDs. The ranking of Van Zant's Get Right with the Man CD plummeted on
Amazon.com's (AMZN ) bestseller list in the wake of Sony BMG snafu
(see BW 11/22/05, "Sony's Escalating 'Spyware' Fiasco". [3])

And when Sony BMG started pulling CDs, it didn't have enough
replacements lined up, says Ross Schilling, of Van Zant's
Nashville-based manager, Vector Management.

Sony BMG had promised the CD would be swapped out with non-rootkit
CDs. Instead, the rootkit CDs simply were pulled, Schilling says.  
"It's obviously very bothersome," he says.

"HARMING THE ARTIST."  That means Van Zant's CD and others were not on
the shelves for the busiest shopping weekend of the year. Sony BMG has
told Van Zant to expect a 50% to 80% decrease in sales when the new
numbers come out on Nov. 30. That's in a week that should have seen a
50% to 80% increase in sales. The week of Nov. 9 to 16, Van Zant's
sales actually jumped a point, a spurt Schilling attributes to
exposure from the Country Music Awards.

Now that retailers are pulling the CD, there's potential for a 50,000-
to 60,000-unit loss, Schilling says. "I believe they [Sony] went in
with good intentions, but it turned into an unprecedented situation,"  
Schilling says. "It certainly is harming the artist.... There's going
to have to be some commitment made on Sony's side to their artists."  
To say nothing of the assurances Sony BMG may need to make to
consumers and a couple of states' attorneys general.

[1] http://www.businessweek.com/technology/content/nov2005/tc20051117_444162.htm
[2] http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm
[3] http://www.businessweek.com/technology/content/nov2005/tc20051122_343542.htm



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Tue Nov 29 2005 - 22:51:38 PST