Sony Rootkit Allegedly Contains LGPL Software 623
Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.
just say no (Score:3, Insightful)
Re:just say no (Score:3, Interesting)
Yes, but this time, it's customers suing them!
Re:just say no (Score:3, Funny)
Thank god! (Score:4, Insightful)
Re:Thank god! (Score:5, Insightful)
Re:Thank god! (Score:5, Insightful)
Not sure about the English language, but in my own we have a saying for this: "Do what I say, not what I do"
Re:Thank god! (Score:5, Interesting)
Yup, that's right. The thing that kills me is that certain members of our government are busy drafting legislation that would make criminal penalties against copyright infringement harsher [slashdot.org], including jail time. No doubt Sony is a sponsor of this bill - or at least the RIAA/MPAA, of which Sony is a member. Yet do you think that Sony would ever be concerned about holding themselves to the same standard? Would they, as a sponsor of this proposed legislation, support the CEO, CIO, chief architect, programmer, or otherwise spending some time in jail for an LGPL or GPL copyright violation?
The double standard kills me, and in cases like this where Sony's actions are quite simply audacious, I almost start to feel physical anger. I'm tired of being treated like a criminal, and it's really about time that a company like Sony be held responsible for the huge amount of personal and other violations that they have trampled on with this one single action of releasing this software.
GPL gives rights beyond copyright law (Score:5, Interesting)
The thing that people don't seem to realize is that if the GPL doesn't hold any water (and it may not), then the whole thing just collapses back to plain old copyright law. In that case, they can't copy and sell the code at all without permission from the writer.
If I write a book and release it on the internet for everybody to download for free, you still can't copy and sell it without my permission. The fact that the code is offered for free doesn't mean that the writer has given up his rights to the work. In fact it is the GPL that gives people the right to copy and sell the work, if they follow the rules outlined in it. Breaking the GPL means you don't have permission to copy and sell the works at all. It is the GPL itself that makes it legal for people to copy and sell GPLed work. Without the GPL it's just plain ol' copyright infringement.
Re:Thank god! (Score:3)
Re:Thank god! (Score:4, Funny)
Re:Thank god! - What's Next (Score:4, Funny)
I know it causes me significant pain ...
Well, hang on a minute (Score:3, Interesting)
In fact, I thought that was the whole difference between the GPL and LGPL.
Did I get this wrong, or is this a non-story?
D
Re:Well, hang on a minute (Score:5, Insightful)
Re:Well, hang on a minute (Score:4, Informative)
Code vs metadata (Score:3, Interesting)
Re:Code vs metadata (Score:5, Interesting)
Re:Code vs metadata (Score:5, Interesting)
Are you arguing that the included code is being used in a way that violates Fair Use, or that simply including the code for comparison (as the grandparent argues) is not fair use? I can't imagine why Sony would need to "use" several MP3 encoders (this comment [slashdot.org] links to a list of them) to actually encode music. Thus, I would assume that Sony is including bits of code from these programs in order to prevent them from running. Is that a violation of the LGPL?
Re:Code vs metadata (Score:5, Insightful)
To my knowledge, there is no fair use right that covers distribution in any form except for first sale, which doesn't apply here and only arguably applies to digital distribution at all.
Re:Code vs metadata (Score:5, Informative)
You are way off. "Fair use" isn't a specific law, it is a set of factors that must be considered in a copyright infringement case. Read up on it. [stanford.edu] You can't definitively say "there's no fair use law covering this" because fair use is non-specific. It's a huge grey area.
Re:Code vs metadata (Score:5, Funny)
Under the LGPL, they must offer us the source code. This protects our ability to rebuild the DRM rootkit for different versions of the LAME library -- so that it can detect newer LAME libraries, or our personal modified copies of the LAME library, and disable those as well.
Takedown noticy against Sony (Score:5, Funny)
Re:Takedown noticy against Sony (Score:4, Interesting)
Why hasn't anyone issued a takedown notice to Sony, so they have to pull these viral CDs from the stores and issue a recall?
It serves them right! (Score:5, Funny)
Glee (Score:5, Insightful)
Re:Glee (Score:5, Interesting)
I haven't bought a CD in years. It's put a big damper on my listening to new music, but it's just not worth it to support that industry. I've heard that Ani DiFranco's label is completely independent though, so I might go buy her stuff.
Re:Glee (Score:5, Informative)
Re:Glee (Score:3, Informative)
Sneaky Sony (Score:5, Funny)
Next thing you know, they'll be after our precious bodily fluids.
More info (Score:5, Informative)
Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/ [hack.fi]
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.
What's next? (Score:5, Funny)
- Sony rootkit eats kittens?
- Sony rootkit throws momma from the train?
- Sony rootkit spawns Darth Vader?
- Sony rootkit deflates tires of soccer moms?
- Sony rootkit steals cookies from girl scouts?
- Sony rootkit cheats at final exams?
- Sony rootkit pours hot grits down Natalie Portman's pants?
Re:What's next? (Score:5, Funny)
There, fixed that for you.
It even has some GPL compnonets (Score:5, Interesting)
So it is not only LPGL, but also the more strict GPL. This is of coarse all meaningless if nobody from the mpg123 project steps out and tells sony to go with the license.
outdated info, it's LGPL nowadays (Score:5, Informative)
tell the developers about the money (Score:5, Insightful)
Suppose the case settles for 10% and the lawyers take 90%. That leaves $750 per CD-ROM for the mpg123 developers. Now think about how many CD-ROMs have been produced.
Oh, what I'd give to have Sony infringe my open source project! The mpg123 developers are some lucky bastards for sure. I need to learn how to write Windows multimedia software instead of just Linux system software.
Let EFF know what you think (Score:5, Interesting)
Plus patents... (Score:5, Funny)
Baz
[1] in some lawyers opinion.... see http://en.wikipedia.org/wiki/LAME [wikipedia.org] for info.
Not stranger entirely consistent (Score:3, Insightful)
In short if you look at this from the perspective that these people feel that they own YOUR right to enjoy entertainment, it all becomes very consistent.
Sony needs to protect its image... (Score:5, Insightful)
I also feel sorry for the poor chap who buys Ricky Martin, Neil Diamond or Celine Dion CDs, I really do.
Sony should have some kind of disclaimer about installing its bad software, maybe a 'Spyware Advisory' sticker? It is only fair.
Re:Sony needs to protect its image... (Score:5, Funny)
Yes, but what about the DRM issue on these CDs?
Re:Sony needs to protect its image... (Score:3, Funny)
Probably also increased the amount of their material being pirated. Since those wanting to listen to those artists are likely to prefer a "clean" copy.
Sabotage from within? (Score:5, Interesting)
The more I think about it, it really smells of dissention from within.
Either that or it looks to me like this is a mix of business people not understanding their market, customers, or technology and sloppy code work. I mean, what asshat would grab some open source code and not adhere to the license? It is either a tremendous faux pas on Sony's part, or there was some intentional act here to make this as reprehensible as possible.
Sort of like watching the music industry test the waters on this sort of thing and finding them extremely chilly.
Re:Sabotage from within? (Score:3, Insightful)
IF the allegations are true, then I expect that Sony have actually been doing this kind of thing for years and getting away with it. Only NOW are people taking a closer look at Sony's code to see exactly how deep this seam of faeces runs.
Re:Sabotage from within? (Score:3, Insightful)
The sort of asshat who would write this thing in the first place?
Re:Sabotage from within? (Score:3, Insightful)
The same asshat who writes software that violates the property and privacy rights of paying customers.
The perfect comment (Score:3, Funny)
Ironic? (Score:5, Insightful)
Second of all, am I the only one who finds it ironic that a DRM program designed to protect someone's copyrighted information is itself infringing on someone's copyright? I guess if Sony wants to fight those evil copyright violators they should start by putting themselves in jail.
I don't get it (Score:3, Insightful)
Unless Sony wanted high quality mp3's made from the CD (which I seriously doubt for some strange reason), I don't get why they would put it in there.
It isn't like LAME has any DRM itself. Far from that.
Anyone have any ideas?
Re:I don't get it (Score:3, Interesting)
Re:I don't get it (Score:5, Interesting)
Well, according to some people who have had to exorcise the demon from their windows PC, what happened after installing the rootkit is that MP3 files ripped from other CDs came back worse to wear, with noise, loss of quality and whatnot.
If that is true, you can probably connect the dots easily and see what Sony was after
In Case Anybody's Losing Track (Score:5, Informative)
What does the rootkit do when it detects LAME? (Score:5, Interesting)
So the interesting question is: what does the rootkit do when it detects LAME on your hard drive? Does it disable or corrupt LAME? Does it phone home? Does it automatically initiate an RIAA lawsuit?
*This* is what I think the next Sony class-action lawsuit should be about. I doubt there is enough grounds to get them on an LGPL copyright infringement suit.
2. Muzzy points out that the Sony uninstaller installs a "safe for scripting" Active-X control with remotely exploitable entry points for rebooting your machine and possibly for installing arbitrary code on your machine. More fuel for the tasty class action suits that are starting up.
3. Sony has done so many evil things with the rootkit fiasco (and we haven't discovered them all yet); the outrage is spreading, and it may lead to a major backlash against the whole industry practice of distributing corrupted CDs in the name of DRM. Here's hoping for a brighter tomorrow.
Doug Moen.
Re:What does the rootkit do when it detects LAME? (Score:3, Informative)
Not Sony (Score:5, Interesting)
But it's worth mentioning at this point that Sony didn't develop the software in question here - the XCP [xcp-aurora.com] software was developed by First4Internet [first4internet.com].
Not being a lawyer, or particularly knowledgable about (L)GPL terms, who could be held liable when a piece of software is developed by one party, but distributed by another? Is ignorance a defence, for instance if Sony said "We didn't know it had unlicensed code!", how would that affect things?
Re:Not Sony (Score:5, Insightful)
"I'm sorry sir but you're the owner. You owe $500,000 in damages."
They don't allow the "but I didn't know" explanation. Why should they be allowed to use it? I say try to nail them. They've done far worse to others.
Re:Not Sony (Score:5, Insightful)
In particular copyright infringment is "strict liability". You have an afirmative duty not to infringe copyright, and if you do infringe copyright then you are guilty no matter how accidental or innocent it may have been. Assuming thier rootkit does indeed contain infringing code, Sony is legally liable no matter where they got it and even if they had no idea it was in there.
However there is a clause in copyright law that if the defendant proves in court that he is an "innocent infringer" then the jude may reduce the monetary damages.
Also Sony might be able to sue the rootkit authors to recoup any damages they had to pay for copyright infringment. But that would be a completely independant legal issue and an entirely different court case.
And quite signifigantly, the complaining GPL copyright holder can likely get a court order for all of the infringing CDs to be DESTROYED.
-
Re:Not Sony (Score:5, Informative)
In court, damages would be determined based upon the length of time when you were told you were in violation, and when you decided to correct this behavior.
If you were warned that you were in violation, today, and correct the violation in a week, or stop distributing the code in a month (as soon as reasonably possible) damages would be 'negligible'.
If you were warned that you were in violation, then ignored it indefinitely, until the matter was brought up in court, that would be considered willfully infringing. There would be damages, but of a limited amount, and an injunction against you for this kind of behavior.
If you were warned that you were in violation, then you denied it, then you tried to disprove it, then you counter-sued, then you ignored it, attempted to settle, caused settlement negotiations to break down, filed to have the hearing moved to a different jurisdiction, etc etc, the court could be persuaded to lean towards the '$100,000 per CD copyright fine'.
The court is given a fair amount of leeway in deciding this kind of thing. Behave badly, and unless you have a crack legal team, you'll get slapped. Judges, regardless of whether they are right wing or left wing have a _very_ serious sense of fairness. Fuck with some one in a willful way, and play with them in court to prolong your profiteering, and a judge _will_ come down on you hard.
Hilariously, this seemed to work too well for Microsoft. They got the judge so damn pissed off that had to reverse his decision. In my opinion, however, you'll never see this happen again. No judge will make the kind of comments that were made in that case.
It's getting pulled anyhow (Score:5, Informative)
http://www.usatoday.com/tech/news/computersecurit
Jerry
http://www.cyvin.org/ [cyvin.org]
Re:It's getting pulled anyhow (Score:5, Insightful)
http://www.usatoday.com/tech/news/computersecurit
Are they also pulling all of the infected PCs in for free repairs?
No? Then let's not help these wankers by helping to spread their desperate PR pieces.
How many of you have PS3's on preorder now? (Score:5, Insightful)
But LAME author doesn't want to take action (Score:3, Insightful)
When Interware violation incident occurs,I feel like as if my own son/doughter were raped by them.But I soon realized I can't have enough power to change the situation.I prefer coding,listening music,cooking to legal action. [slashdot.jp]
Similar comment was written on Journal entry. [slashdot.jp]
tt also comments on tables,as more hint for searching copyleft infringement seeking;t16_5l[]@table.c & enwindow[]@newmdct.c [slashdot.jp]
I think we know what to do (Score:3, Insightful)
Yes, I'm serious. It's time to turn this shit back around on these bastards.
Correct me if I'm wrong but... (Score:3, Insightful)
Too many license lawyers (Score:3, Interesting)
The LGPL does not require you to distribute the source code, it only requires you to give the source code to a user who asks for it. Including the source code with the software is only one of several means to accomplish this. Has any legal user of the software asked Sony for the source code? Anyone? I thought not...
It's not that I think Sony is innocent. Hardly! But that's no excuse for hundreds of Slashdot posters to be whining about licnese terms that don't even exist.
Re:Uuuuuh (Score:3, Informative)
Re:Uuuuuh (Score:5, Informative)
No. You can link LGPLed software with proprietary software, but you must still distribute the sources of at least the free software (free as in RMS).
"operating system on which the executable runs" (Score:5, Informative)
<sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>
The GNU General Public License [gnu.org] and the GNU Lesser General Public License [gnu.org] have an operating system exemption. The exact wording of the exemption in both licenses is as follows:
True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.
Re:"operating system on which the executable runs" (Score:5, Informative)
Re:Uuuuuh (Score:5, Informative)
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.
Notification? (Score:5, Funny)
Re:Notification? (Score:5, Funny)
This is the problem with the viral nature of the GPL and even the LGPL licenses and is why you should really consider using BSD licensed software in your DRM rootkits in the future. Screw the FSF!
Re:Notification? (Score:3, Insightful)
There is a psychology term called "projection" which is very important here. In this case and in the case you can sum it up as the rule that those who complain loudest about copyright violations are likely to be violating other peoples' copyrights.
Re:Notification? (Score:3, Interesting)
Re:Notification? (Score:3, Insightful)
Re:Uuuuuh (Score:4, Informative)
Even the methodology used by the sysinternals dude, of analyzing the kernel call vector to find the rootkit (by locating addresses pointing outside of the kernel) is nowhere near bulletproof. We're coming up on the 5th inning of the apocalypse of Windows. Soon a Mac will look cheap when you compare it to the time consuming weekly reformat/reinstall cycles that lie just beyond the horizon.
Yeah but... (Score:4, Funny)
Hmmm I wonder...
$sys$rootkit.cpp
$sys$rootkit.h
$sys$drm.cpp
$sys$drm.h
$sys$lgpl.txt
Nope. (Score:5, Informative)
That being said, from what I've read it appears that the Sony DRM code may be looking for LAME on the system (to block it from working on their 'protected' stuff) but doesn't appear to actually contain LAME code.
Almost. (Score:5, Informative)
Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all
no excuse (Score:5, Interesting)
Since Sony already argues against fair use of samples, one need only supply the court
with Sony's own arguments against fair use.
Re:Wrong. Because the best-kept secret about LGPL. (Score:3, Informative)
Note the words "may be". Copyright law is funny. Using things that are necessary to interoperate (e.g. simple definitions of constants and function prototypes) is not a problem from a copyright perspective (c.f. "scenes a faire"). If there's only one way to express an idea (e.g. "errno.h", which maps POSIX
Re:Nope. (Score:3, Insightful)
The gap between Sony's actions and those required by the LGPL are so huge, and the differences are essential. On one hand, we have a copyright restriction which generally acts like a Kantian categorical imperative: it demands that you act in such a way that perpetuates the very conditions by which you were able to obtain it in the first place. It is enforced by trust first and foremost.
In Sony's case, we have restrictions on how many times you c
Re:Nope. (Score:3, Insightful)
I don't see why this is so confusing to people.
You can charge whatever you want for a GPL'd program. You can charge a million dollars if you want to. You don't have to offer your GPL'd program for free download. You just have to offer the source to anyone who gets your binary, and not restrict their rights to alter or redistribute. That's it.
Re:Uuuuuh (Score:5, Informative)
No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.
Re:Uuuuuh (Score:5, Funny)
WRONG (Score:5, Interesting)
If Sony don't provide the source they must make THE source available to all third parties for at least 3 years.
This is an obligation they must fulfil.
http://www.gnu.org/licenses/gpl-faq.html#Distribu
http://www.gnu.org/licenses/gpl-faq.html#TOCSourc
Merely pointing to "a website" or "the website we got it from" is not enough.
You have to make-sure-it-stays-there. And thats not enough.
You also have to let people request it by mail charging only a minimal fee.
You have to track your releases and make sure you keep the source of each release seperately so you can give people the source to the version they had.
Too many people consider only casually the obligation that the GPL puts on them. GPL is not an easy way out.
It's easy to receive GPL software because the burden is on the distributor, but you must understand and fulfil the burden when you are the distributor.
With most commercial software you pay some money before you receive it but you still have to follow the license guidelines.
Is it too often for me to say again that too many people distibute binary packages to open source software and distribute the source they compile to make the binary package but do not distribute the source to making the binary package; i.e. the
Sam
Re:This story gets better and better (Score:4, Funny)
... or maybe yes (Score:5, Interesting)
Re:... or maybe not (Score:4, Insightful)
Oh sure I have 10G of unlicensed mp3s, but I've never listened to them.
LAME is in there, just not in GO.EXE (Score:5, Informative)
Re:This counts as a violation *why*? (Score:4, Interesting)
Re:So... How about them statutory damages... (Score:5, Insightful)
Re:So... How about them statutory damages... (Score:3, Interesting)
What incredible irony it would be if the LAME group ended up owning Sony Corp.
Yeah, I know, not a chance in hell, but one can dream...
Re:So... How about them statutory damages... (Score:5, Insightful)
Just once, I'd like to see a major corporation wiped off the face of the earth because it violated the law. It would send a nice message to the other megacorporations. If you're going to use the law as a weapon against us, we can use it right back.
So please, talk to the EFF. I'll donate whatever I can to the legal fund.
Re:So... How about them statutory damages... (Score:5, Interesting)
Because each copyright holder can sue independantly.
Oh, and in case anyone forgot the RIAA sued a college student for $97.8 Billion. [slashdot.org] SO they have absolutely no right to bitch about how supid-huge copyright infringments can get to be. Their own lawyers participated in drafting the law the stupid-ass damages.
-
Re:LGPL (Score:5, Informative)
Re:LGPL (Score:3, Informative)
The LGPL does not require you to give anyone access to the non-free parts you linked with it. Only if you modify the library itself you are required to give access to the sources of said library, not to the source of the program you link with that library.
So I don't see why Sony is violating the LGPL here. As you can download the LGPLed library from sourceforge, its
Re:LGPL (Score:4, Insightful)
I see that modern versions of LGPL want that the source of the library is included with the distributed binary.
Another reason not to use LGPL code
angel'o'sphere
Re:LGPL (Score:3, Informative)
I believe you should shut up, stop relying on hearsay and read the license. Section 4 most clearly states:
Re:Blame Sony? (Score:3, Insightful)
If they choose XCP knowing how it works (and what it would do), they're guilty. If they choose it unknowingly, they're incompetent. They're responsable either way.
Two key issues become clearer (Score:4, Insightful)
Another interesting point I see is that someone, sooner or later is going to challenge the legality of Open Source under the 'free' standard and litigate that it is tantamount to price fixing, i.e. antitrust. How long before someone challenges that the contractual language that forces someone to provide code at no cost is the same as being forced to sell it at an inflated price. The price is still fixed, whether at zero or at some other number.
These are a couple of major challenges that await open source. I hope someone gets their ducks in a row before these things come to fruition. Open Source has driven the industry in a very good direction. I would hate to see it fall because it can't support itself, financially, when and where it is needed. Justice is NOT free, in fact the costs are enormous to obtain justice. Somehow that has to be worked into the Open SOurce equation in a way that works for us all or the likes of Sony are going to kill it off.
Re:LAME encoder (Score:4, Informative)
Isn't the LAME encoder an MP3 encoder that still needs to be licensed from Thompson?
In short, No!
Longer version: According to Dave Arland, a U.S. spokesman for Thomson Multimedia - 'its policy has always been to allow free use of the company's MP3 patents in "freely distributable software"'
Newsforge Article [newsforge.com]