http://www.businessweek.com/technology/content/nov2005/tc20051128_573560.htm By Arik Hesseldahl NOVEMBER 29, 2005 New York's Attorney General has turned his attention to Sony BMG's copyright-protection fiasco Sony BMG Music Entertainment is getting a lot of unwanted attention for its use of copyright-protection software that left CD users open to computer viruses. It began with the bloggers, who shed light on the matter, and has spread to the scads of consumers who have used the Internet to urge a boycott of Sony BMG CDs. A Homeland Security Dept. official has weighed in, accusing Sony BMG of undermining computer security. And Texas Attorney General Greg Abbott has alleged, in a suit filed Nov. 21, that Sony BMG violated his state's antispyware laws. Now, the Sony BMG debacle has drawn the scrutiny of New York Attorney General Eliot Spitzer. BUYER, BEWARE. Spitzer's office dispatched investigators who, disguised as customers, were able to purchase affected CDs in New York music retail outlets -- and to do so more than a week after Sony BMG recalled the disks. The investigators bought CDs at stores including Wal-Mart (WMT ), BestBuy (BBY ), Sam Goody, Circuit City (CC ), FYE, and Virgin Megastore, according to a Nov. 23 statement from Spitzer's office. Sony BMG says it shipped nearly 5 million CDs containing the software, of which 2.1 million had been sold. The company says 52 individual titles are affected. Spitzer's office urged consumers not to buy the disks, and if they do buy them, not to play them in computers. The disks should be returned to the place of purchase for a refund, Spitzer advises. MORE PRESSURE. "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year," Spitzer said in a written statement. "I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony." Sony BMG spokesman John McKay says the company has "commenced a mail-in exchange program and is committed to getting all copies of the 52 affected titles off store shelves. We appreciate the attorney general's reinforcement of our efforts, and on Wednesday [Nov. 23] we sent a follow-up message to remind them to remove XCP content-protected CDs from their inventory." A spokeswoman for Wal-Mart did not return a call seeking comment. A Best Buy spokesman said the company has instructed its stores to remove the CDs from stock and to provide exchanges to customers. Attention from the aggressive New York attorney general adds to pressure on Sony BMG to resolve a fiasco that came to the public's attention on Oct. 31, when computer-systems expert Mark Russinovich posted a message on his blog revealing that Sony BMG had placed antipiracy software on music CDs that made customers' PCs vulnerable to hacker attacks (see BW 11/17/05, "Sony's Copyright Overreach" [1]). SEEKING FINES. Sony BMG programmed the disks with a software-code set known as a rootkit that secretly installs itself onto a PC's hard drive when the CD is loaded. And computer-security experts have raised questions over whether Sony BMG, a venture of Sony (SNE ) and Germany's Bertelsmann AG, could have known about the rootkit sooner (see BW Online, 11/29/05, "Sony BMG's Costly Deafness" [2]). Spitzer's consumer warning came days after Texas Attorney General Abbott filed the suit against the company in Travis County, Texas. Abbott is seeking fines against Sony BMG of $100,000 per violation. A spokesman for Spitzer's office in New York City declined to comment on the attorney general's plans beyond the consumer warning, other than to say the office is "looking into" the matter. In April, Spitzer's office had brought suit against Intermix Media, a Los Angeles-based firm. The suit followed a six-month investigation that culminated in allegations that Intermix had installed advertising software on home computers without having given those consumers ample notice. Intermix agreed to settle the suit and was required to pay $7.5 million. The company also had to accept a ban on the distribution of adware programs in the future. In July, Spitzer secured a $10 million settlement from Sony's Sony BMG Music Entertainment record label to settle a probe into an alleged "payola" scheme. Spitzer's office said in July that it had uncovered evidence that the label had offered inducements, expensive gifts, and expensive travel packages to get music played on the radio. SALES DRAG. Meanwhile, the rootkit blunder continues to inspire consumer outrage and affect sales of artists who produced the affected CDs. The ranking of Van Zant's Get Right with the Man CD plummeted on Amazon.com's (AMZN ) bestseller list in the wake of Sony BMG snafu (see BW 11/22/05, "Sony's Escalating 'Spyware' Fiasco". [3]) And when Sony BMG started pulling CDs, it didn't have enough replacements lined up, says Ross Schilling, of Van Zant's Nashville-based manager, Vector Management. Sony BMG had promised the CD would be swapped out with non-rootkit CDs. Instead, the rootkit CDs simply were pulled, Schilling says. "It's obviously very bothersome," he says. "HARMING THE ARTIST." That means Van Zant's CD and others were not on the shelves for the busiest shopping weekend of the year. Sony BMG has told Van Zant to expect a 50% to 80% decrease in sales when the new numbers come out on Nov. 30. That's in a week that should have seen a 50% to 80% increase in sales. The week of Nov. 9 to 16, Van Zant's sales actually jumped a point, a spurt Schilling attributes to exposure from the Country Music Awards. Now that retailers are pulling the CD, there's potential for a 50,000- to 60,000-unit loss, Schilling says. "I believe they [Sony] went in with good intentions, but it turned into an unprecedented situation," Schilling says. "It certainly is harming the artist.... There's going to have to be some commitment made on Sony's side to their artists." To say nothing of the assurances Sony BMG may need to make to consumers and a couple of states' attorneys general. [1] http://www.businessweek.com/technology/content/nov2005/tc20051117_444162.htm [2] http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm [3] http://www.businessweek.com/technology/content/nov2005/tc20051122_343542.htm _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Tue Nov 29 2005 - 22:51:38 PST