As F-Secure already published when the Sony BMG XCP controversy first started spinning out of control, the company was already on Sony's tail before Mark Russinovich informed the world about this evil technology.

The difference being that F-Secure reported the issue quietly to Sony BMG to drive its consultancy business (helping fix the flaw before taking credit) where Russinovich was out to give Sony BMG a public whipping.

This story went back in time to seek out what exactly happened prior to the Russinovich blog posting. Most importantly it even further shows the level of incompetence that First 4 Internet showed in dealing with its own flawed code. The firm not only failed to act when it was first told about the security flaws in its software, it also derailed attempts to bring in F-Secure to help fix the issue (the parties couldn't agree on the terms of the non disclosure agreement). Given that First 4 Internet had created a patchwork of proprietary code combined with stolen GPL components, this isn't a big surprise.

First 4 Internet still won't comment on the mess it created. With lawsuits popping up against its technology all over the world, that's no big surprise. But the report in BusinessWeek only seems to make matters worse for both Sony BMG and First 4 Internet.

Creating insecure code is one thing. Knowing its bad nature and failing to act is even worse.

Tags: Sony BMG, first 4 internet, XCP, DRM, trojan