Forgot your password?
typodupeerror
GNU is Not Unix Media Your Rights Online

Sony Rootkit Allegedly Contains LGPL Software 623

Posted by CmdrTaco
from the this-keeps-getting-funnier dept.
Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.
This discussion has been archived. No new comments can be posted.

Sony Rootkit Allegedly Contains LGPL Software

Comments Filter:
  • just say no (Score:3, Insightful)

    by hector_uk (882132) on Tuesday November 15, 2005 @09:21AM (#14033888)
    now I feel more and more justified for not buying any music until the music industry stops suing their customers.
  • Thank god! (Score:4, Insightful)

    by Anita Coney (648748) on Tuesday November 15, 2005 @09:22AM (#14033892) Homepage
    I read about this story days ago. I was hoping it wouldn't get lost. In a way this is even bigger than the root-kit story. You've got to love the irony of stealing code to create a DRM infested ripper!
    • Re:Thank god! (Score:5, Insightful)

      by Halo1 (136547) <<eb.tnegu.sile> <ta> <ebeam.sanoj>> on Tuesday November 15, 2005 @09:39AM (#14033994) Homepage
      They're not stealing code, they're infringing on the author's copyrights by not respecting the license under which the code is be distributed (in exactly the same way people who "share" Sony/BMG music via p2p etc infringe on Sony/BMG's and the the artists' copyrights).
      • Re:Thank god! (Score:5, Insightful)

        by Sepper (524857) on Tuesday November 15, 2005 @09:57AM (#14034102) Journal
        (in exactly the same way people who "share" Sony/BMG music via p2p etc infringe on Sony/BMG's and the the artists' copyrights).

        Not sure about the English language, but in my own we have a saying for this: "Do what I say, not what I do"
        • Re:Thank god! (Score:5, Interesting)

          by IAmTheDave (746256) <basenamedave-sd@@@yahoo...com> on Tuesday November 15, 2005 @10:17AM (#14034252) Homepage Journal
          Not sure about the English language, but in my own we have a saying for this: "Do what I say, not what I do"

          Yup, that's right. The thing that kills me is that certain members of our government are busy drafting legislation that would make criminal penalties against copyright infringement harsher [slashdot.org], including jail time. No doubt Sony is a sponsor of this bill - or at least the RIAA/MPAA, of which Sony is a member. Yet do you think that Sony would ever be concerned about holding themselves to the same standard? Would they, as a sponsor of this proposed legislation, support the CEO, CIO, chief architect, programmer, or otherwise spending some time in jail for an LGPL or GPL copyright violation?

          The double standard kills me, and in cases like this where Sony's actions are quite simply audacious, I almost start to feel physical anger. I'm tired of being treated like a criminal, and it's really about time that a company like Sony be held responsible for the huge amount of personal and other violations that they have trampled on with this one single action of releasing this software.

      • You're right, I was trying to be ironic. "Stealing" should have been in quotes to better emphasize my sorry attempt at humor.
    • by heinousjay (683506) on Tuesday November 15, 2005 @10:51AM (#14034509) Journal
      It's like an infinite loop of hypocrisy: My god, it's full of piracy!
  • by daviddennis (10926) <david@amazing.com> on Tuesday November 15, 2005 @09:25AM (#14033911) Homepage
    I will admit I haven't read the license, but I could have sworn that I have no obligation to distribute the source of software I write using LGPL-licensed libraries. I thought I could freely distribute software using them them for any purpose even if I was distributing binaries only of my proprietary software.

    In fact, I thought that was the whole difference between the GPL and LGPL.

    Did I get this wrong, or is this a non-story?

    D
    • by Vo0k (760020) on Tuesday November 15, 2005 @09:32AM (#14033958) Journal
      You have to redistribute source of these libraries and enough hooks/API so anyone could replace them with whatever they like in your program. So either link dynamically (and include just the lib sources) or if you link statically, include source of the libraries and .o objects of your binary so they can be re-linked.
  • Code vs metadata (Score:3, Interesting)

    by Vo0k (760020) on Tuesday November 15, 2005 @09:26AM (#14033915) Journal
    IANAL, but I think this is no-case. The code isn't included as executable, but as metadata usable in identifying LAME. Same as antivirus vendors shouldn't be kept liable for installing millions of viruses and copyrighted code from multiple spyware programs, just because the antivirus contains sniplets of the original code used in identifying the threats. They don't link the code against the program, but include pieces of it as non-executable data for the database. It's fair use. Same as you'd sue Google for copyright infringement because they include a sniplet of text from your website in their search results, or a thumbnail of your copyrighted image in image search.
    • Re:Code vs metadata (Score:5, Interesting)

      by muzzy (164903) on Tuesday November 15, 2005 @09:41AM (#14033998) Homepage Journal
      Wrong, it isn't used for identifying anything. The GO.EXE only contains the strings and data but it isn't used there. I wasn't able to find any code in the executable that uses the data (for any purposes), and I looked pretty hard. It's been statically linked but unused. HOWEVER, there are more binaries on the CD compressed in XCP.DAT, which get installed to the system along with the DRM crap. At least one of these binaries contain LAME code for certain. The GO.EXE might not be enough for a case, but that's just the tip of the iceberg. There's real infringement in at least one other executable.
      • Re:Code vs metadata (Score:5, Interesting)

        by courtarro (786894) on Tuesday November 15, 2005 @10:09AM (#14034184) Homepage
        At least one of these binaries contain LAME code for certain.

        Are you arguing that the included code is being used in a way that violates Fair Use, or that simply including the code for comparison (as the grandparent argues) is not fair use? I can't imagine why Sony would need to "use" several MP3 encoders (this comment [slashdot.org] links to a list of them) to actually encode music. Thus, I would assume that Sony is including bits of code from these programs in order to prevent them from running. Is that a violation of the LGPL?

        • by arkanes (521690) <arkanes@gmail.CHICAGOcom minus city> on Tuesday November 15, 2005 @10:59AM (#14034593) Homepage
          It is a techncial copyright violation (and there is no fair use right that covers it) to distribute LAME code in object format, no matter how it is used, or even if it is not used at all. Just like it would be copyright infringment for me to ship my app with a tarball of the Windows source code in it.

          To my knowledge, there is no fair use right that covers distribution in any form except for first sale, which doesn't apply here and only arguably applies to digital distribution at all.

  • by Anonymous Coward on Tuesday November 15, 2005 @09:26AM (#14033917)
    Someone should send a takedown notice to the Sony corporation.
  • by AndroidCat (229562) on Tuesday November 15, 2005 @09:30AM (#14033941) Homepage
    If they'd gone Open Source from the start with their rootkit, the community could have contributed bug fixes and improvements. Even their competitors could have gotten involved, resulting in a truely powerful bug-free rootkit for use by everyone.
  • Glee (Score:5, Insightful)

    by johnos (109351) on Tuesday November 15, 2005 @09:30AM (#14033942)
    Its beautiful. I've always thought that the corporate war on their customers over intellectual property would turn when someone went too far. All of a sudden the main stream media would wake up and finally get it. Well, now its happened. The media is all over the story and Sony, bless their hollow little heads, just keep digging. I'm sure I'm not the only one who was shocked but not suprised at the news Sony or Level 4 have broken the LGPL. They are staggering around like a pummled prizefighter, bleeding on everything. There's going to be more blood before this is over. Besides the $billion or so it will cost Sony to clean up the mess, others will have some 'splainin to do. Like the anti-virus companies, like Microsoft, like the other music companies.
  • Sneaky Sony (Score:5, Funny)

    by Ritz_Just_Ritz (883997) on Tuesday November 15, 2005 @09:30AM (#14033944)
    I knew something was up when I saw that Aibo perched at my keyboard when I woke up this morning.

    Next thing you know, they'll be after our precious bodily fluids.
  • More info (Score:5, Informative)

    by muzzy (164903) on Tuesday November 15, 2005 @09:31AM (#14033949) Homepage Journal
    The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.

    Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/ [hack.fi]
    There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.
  • by Pig Hogger (10379) <pig.hogger@gmai l . c om> on Tuesday November 15, 2005 @09:34AM (#14033969) Journal
    The more it goes, the worse it seems. What's next?

    - Sony rootkit eats kittens?
    - Sony rootkit throws momma from the train?
    - Sony rootkit spawns Darth Vader?
    - Sony rootkit deflates tires of soccer moms?
    - Sony rootkit steals cookies from girl scouts?
    - Sony rootkit cheats at final exams?
    - Sony rootkit pours hot grits down Natalie Portman's pants?

  • by leuk_he (194174) on Tuesday November 15, 2005 @09:40AM (#14033995) Homepage Journal
    looking at the licence of lame: [sourceforge.net]



    *** IMPORTANT NOTE ***

    The decoding functions provided in LAME use the mpglib decoding engine which
    is under the GPL. They may not be used by any program not released under the
    GPL unless you obtain such permission from the MPG123 project (www.mpg123.de).


    So it is not only LPGL, but also the more strict GPL. This is of coarse all meaningless if nobody from the mpg123 project steps out and tells sony to go with the license.
  • by Bazman (4849) on Tuesday November 15, 2005 @09:41AM (#14034004) Journal
    "So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license..."

    ... from a project that may be[1] in violation of patent law! Woohoo!

    Baz

    [1] in some lawyers opinion.... see http://en.wikipedia.org/wiki/LAME [wikipedia.org] for info.

  • by Crashmarik (635988) on Tuesday November 15, 2005 @09:42AM (#14034010)
    The fact that sony has chosen to violate a license agreement is entirely consistent with the motion picture and music industry standard operating procedures. The only rights they acknowledge are their own. For someone else to assert their rights, would be considered meerly cheeky. Look at the Buchwald case, record industry and movie industry accounting practices.

    In short if you look at this from the perspective that these people feel that they own YOUR right to enjoy entertainment, it all becomes very consistent.
  • by digitaldc (879047) on Tuesday November 15, 2005 @09:42AM (#14034013)
    ...not its CDs. They have done more to damage their image and profits with this story than they would have saved by installing its spyware.
    I also feel sorry for the poor chap who buys Ricky Martin, Neil Diamond or Celine Dion CDs, I really do.
    Sony should have some kind of disclaimer about installing its bad software, maybe a 'Spyware Advisory' sticker? It is only fair.
  • by jeffs72 (711141) on Tuesday November 15, 2005 @09:51AM (#14034071) Journal
    I could see the developer who had this project fall in his lap say "this is fucking stupid, lets teach them a lesson on integrating spyware with their cds" and violating this license (which will give them a black eye) and then write it in such a way that people can easily use it as a virus/trojan vector.

    The more I think about it, it really smells of dissention from within.

    Either that or it looks to me like this is a mix of business people not understanding their market, customers, or technology and sloppy code work. I mean, what asshat would grab some open source code and not adhere to the license? It is either a tremendous faux pas on Sony's part, or there was some intentional act here to make this as reprehensible as possible.

    Sort of like watching the music industry test the waters on this sort of thing and finding them extremely chilly.

    • "It is either a tremendous faux pas on Sony's part, or there was some intentional act here to make this as reprehensible as possible."

      IF the allegations are true, then I expect that Sony have actually been doing this kind of thing for years and getting away with it. Only NOW are people taking a closer look at Sony's code to see exactly how deep this seam of faeces runs.
    • I mean, what asshat would grab some open source code and not adhere to the license?

      The sort of asshat who would write this thing in the first place?

    • I mean, what asshat would grab some open source code and not adhere to the license?

      The same asshat who writes software that violates the property and privacy rights of paying customers.
  • by Anonymous Coward on Tuesday November 15, 2005 @09:52AM (#14034074)
  • Ironic? (Score:5, Insightful)

    by Rakishi (759894) on Tuesday November 15, 2005 @09:54AM (#14034088)
    First of all it seems that there is more than just LAME in there: http://hack.fi/~muzzy/sony-drm/ [hack.fi]

    Second of all, am I the only one who finds it ironic that a DRM program designed to protect someone's copyrighted information is itself infringing on someone's copyright? I guess if Sony wants to fight those evil copyright violators they should start by putting themselves in jail.
  • I don't get it (Score:3, Insightful)

    by chrisgeleven (514645) on Tuesday November 15, 2005 @09:59AM (#14034117) Homepage
    Why would Sony include LAME (or parts of it) in with this rootkit? LAME is just a mp3 encoder.

    Unless Sony wanted high quality mp3's made from the CD (which I seriously doubt for some strange reason), I don't get why they would put it in there.

    It isn't like LAME has any DRM itself. Far from that.

    Anyone have any ideas?
    • Re:I don't get it (Score:3, Interesting)

      by jrcamp (150032)
      I read an article a week or so back saying that the rootkit would insert spots of noise into MP3's when you tried to burn them to degrade the quality. Perhaps this is where LAME could be used? Anybody know the article I'm talking about and can link it?
    • Re:I don't get it (Score:5, Interesting)

      by Walkiry (698192) on Tuesday November 15, 2005 @10:50AM (#14034501) Homepage
      >Anyone have any ideas?

      Well, according to some people who have had to exorcise the demon from their windows PC, what happened after installing the rootkit is that MP3 files ripped from other CDs came back worse to wear, with noise, loss of quality and whatnot.

      If that is true, you can probably connect the dots easily and see what Sony was after :-)
  • by trentrez (918830) <mattslight&incite-ict,com> on Tuesday November 15, 2005 @10:01AM (#14034126) Homepage
    FYI. BoingBoing have compiled a comprehensive timeline of events surrounding this: http://www.boingboing.net/2005/11/14/sony_anticust omer_te.html [boingboing.net]
  • by dmoen (88623) on Tuesday November 15, 2005 @10:08AM (#14034182) Homepage
    1. It seems that Sony has not actually included any executable code from LAME, only some data, which is likely used as a signature, to determine if you have LAME installed and are using it to rip MP3s. This is likely fair use, not wholesale copyright violation, as far as LAME and the LGPL are concerned.

    So the interesting question is: what does the rootkit do when it detects LAME on your hard drive? Does it disable or corrupt LAME? Does it phone home? Does it automatically initiate an RIAA lawsuit?

    *This* is what I think the next Sony class-action lawsuit should be about. I doubt there is enough grounds to get them on an LGPL copyright infringement suit.

    2. Muzzy points out that the Sony uninstaller installs a "safe for scripting" Active-X control with remotely exploitable entry points for rebooting your machine and possibly for installing arbitrary code on your machine. More fuel for the tasty class action suits that are starting up.

    3. Sony has done so many evil things with the rootkit fiasco (and we haven't discovered them all yet); the outrage is spreading, and it may lead to a major backlash against the whole industry practice of distributing corrupted CDs in the name of DRM. Here's hoping for a brighter tomorrow.

    Doug Moen.
  • Not Sony (Score:5, Interesting)

    by MaestroSartori (146297) on Tuesday November 15, 2005 @10:13AM (#14034215) Homepage
    Disclaimer: I'm a Sony employee, and I strongly disapprove of the rootkit DRM stuff in a completely unofficial not-representative-of-the-company way ;)

    But it's worth mentioning at this point that Sony didn't develop the software in question here - the XCP [xcp-aurora.com] software was developed by First4Internet [first4internet.com].

    Not being a lawyer, or particularly knowledgable about (L)GPL terms, who could be held liable when a piece of software is developed by one party, but distributed by another? Is ignorance a defence, for instance if Sony said "We didn't know it had unlicensed code!", how would that affect things?
    • Re:Not Sony (Score:5, Insightful)

      by jrcamp (150032) on Tuesday November 15, 2005 @10:35AM (#14034376)
      "But I didn't know my Internet connection was being used by my son to download Sony BMG artists' songs!"

      "I'm sorry sir but you're the owner. You owe $500,000 in damages."

      They don't allow the "but I didn't know" explanation. Why should they be allowed to use it? I say try to nail them. They've done far worse to others.
    • Re:Not Sony (Score:5, Insightful)

      by Alsee (515537) on Tuesday November 15, 2005 @01:05PM (#14035787) Homepage
      Our copyright law has literally been written by lawyers employed by the publishing industry (and then out idiot congressmen pass it generally exactly as drafted). Thus copyright law is evil as hell if it is actually enforced.

      In particular copyright infringment is "strict liability". You have an afirmative duty not to infringe copyright, and if you do infringe copyright then you are guilty no matter how accidental or innocent it may have been. Assuming thier rootkit does indeed contain infringing code, Sony is legally liable no matter where they got it and even if they had no idea it was in there.

      However there is a clause in copyright law that if the defendant proves in court that he is an "innocent infringer" then the jude may reduce the monetary damages.

      Also Sony might be able to sue the rootkit authors to recoup any damages they had to pay for copyright infringment. But that would be a completely independant legal issue and an entirely different court case.

      And quite signifigantly, the complaining GPL copyright holder can likely get a court order for all of the infringing CDs to be DESTROYED.

      -
  • by confusion (14388) on Tuesday November 15, 2005 @10:19AM (#14034270) Homepage
    Not that it lessens their tresspass, but Sony is apparently pulling the "infected" CDs:
    http://www.usatoday.com/tech/news/computersecurity /2005-11-14-sony-cds_x.htm [usatoday.com]

    Jerry
    http://www.cyvin.org/ [cyvin.org]
  • by C. Mattix (32747) <{moc.liamg} {ta} {xittamc}> on Tuesday November 15, 2005 @10:35AM (#14034378) Homepage
    So is the Slashdot crowd going to complain and moan about Sony being a servant of the devil, and then happily go to Best Buy and get ther shiny new PS3?
  • by Trailer Trash (60756) on Tuesday November 15, 2005 @11:10AM (#14034680) Homepage
    The people who own copyrights in lame need to go after Sony for $160K/cd that has been shipped. Perhaps they can set up a call center where Sony can call in to "settle".

    Yes, I'm serious. It's time to turn this shit back around on these bastards.
  • by swelke (252267) on Tuesday November 15, 2005 @11:21AM (#14034767) Homepage Journal
    Isn't the minimum way to comply with the GPL's (and I assume also the LGPL's) source code distribution terms to make the source code available upon request? (IE you don't necessarily have to distribute source to those users who don't want it.) So has anybody tried requesting? It's worth a shot. I don't think we've ever had open source DRM crap before.
  • by Arandir (19206) on Tuesday November 15, 2005 @02:25PM (#14036533) Homepage Journal
    I used to always think a license meant what it says, not what the hordes of Slashdot children wishes it did. Please people, GO READ THE FRIGGING LGPL!

    The LGPL does not require you to distribute the source code, it only requires you to give the source code to a user who asks for it. Including the source code with the software is only one of several means to accomplish this. Has any legal user of the software asked Sony for the source code? Anyone? I thought not...

    It's not that I think Sony is innocent. Hardly! But that's no excuse for hundreds of Slashdot posters to be whining about licnese terms that don't even exist.

Anyone can do any amount of work provided it isn't the work he is supposed to be doing at the moment. -- Robert Benchley

Working...