DVD Jon's Code In Sony Rootkit?

An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."

DVD Jon strikes back!

The Revenge of the Sick (with copy protections)!

hmm

looks like they owe the kid some royalties...

Stranger and stranger

This story get's weirder by the minute.

Though it wouldn't happen in a million years, I'd like to think this will bring Sony to it's knees. It won't, but someone can dream.

Not that I had anything against Sony in the first place, but since this crap they threw out there and expected everyone to just "take it", they need to be slapped and slapped often.

They haven't even apologized yet. At least I haven't seen it. Though just saying "sorry" doesn't cut it anymore as thousands of computers are now vulnerable in the world due to their greed.

Re:Stranger and stranger

Bear in mind that Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet [xcp-aurora.com]. While we all should (rightfully) be pissed at Sony for including this on a bunch of their CDs, we should be equally as pissed (or moreso) at First 4 Internet for their (L)GPL violations and for making this product in the first place.

Re:Stranger and stranger

Isn't Sony the distributor, thus the violator of (L)GPL ?

Re:Stranger and stranger

IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code). Not to mention, they pulled the CDs from the shelves already, which they could say coincided with the revelation of copyright violations on the discs -- ie, immediate action was action. I'm not trying to defend them or their practices at all, I'm merely looking at it from a "who can be held accountable" point of view.

Re:Stranger and stranger

It was Bush, wasn't it? I mean, he lied about the Windows Media Discs, didn't he? Or something?

Re:Stranger and stranger

That sort of defence might work for, say, a magazine cover disc that inadvertantly included a virus but not here. The inclusion of this software will have been a big thing for Sony. They will have paid to license the code from F4I and deliberately included it in their products. For them to say they didn't know what it did or that it didn't work as believed it did is no more of a defence than it would be for a car manufacturer to claim it isn't liable for it's vehicles catching fire because this is caused by a faulty fuel pump made by somebody else. Sony may be entitled to an indemnity from F4I (although when a company has shown themselves to be this incompetent I wouldn't be at all surprised if Sony forgot to demand this...) but that's a different matter (and probably worthless given the size of the mess). Where damage has been done it's been caused by a Sony product. Therefore Sony are liable. The fact they don't seem to have bothered with any sort of due dilligence on the software they were licensing which caused the damage is no defence.

Very Dangerous Reasoning

IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code).

You know, I think that this does make sense. However, this is a very dangerous line of reasoning. If you let Sony get off with no consequences for distributing stolen code, then you will never be able to prosecute any big corporatio for code copyright violations.

All a mega-corp need do is find a small, arms-length firm to launder the stolen code. Let that small firm actually steal it and then hand it on a silver platter to the mega-corp. If the mega-corp is caught, the small firm takes the hit and disappears in a puff of bankrupcy. Then mega-corp goes on to the next small firm.

If Sony truly didn't know about this, then they probably should not be liable for any statutory damages. However, they did distribute the code--which is technically a violation. Sony should be the one accountable for that violation and Sony should be able to sue First4Internet--unless of course First4Internet's license with Sony includes the standard indemnification clause like we see in most EULA's. In that case, Sony will be hoisted by their own petard--and it couldn't happen to a nicer group of people.

Re:Very Dangerous Reasoning

Product liability law is a bit different from standard negligence law. If liability can be attached, the law specifically allows claimants to recover damages from any part of the supply chain, not just the manufacturer or original supplier. I.e., even Best Buy could be held liable. This common law feature is called strict liability of torts, I think, and probably evolved to prevent passing of the buck.

Re:Very Dangerous Reasoning

IANAL, but: I've often had to have vendors go through a code review when implementing custom applications in our network. You would think that Sony would require the same thing when putting software like this on millions of CDs. If they did have a policy they should be liable. If they didn't then they are morons for accepting software at face value that goes on their most important product.

Re:Stranger and stranger

ie, immediate action was action.

Except after the initial exposure of this rootkit in their products, Sony bigwigs were on NPR radio broadcast saying essentially (paraphrased) "What they don't know won't hurt them". I'd certainly content that constitutes delayed action, and possibly collusion. Plus the factoids coming out that this rootkit may have possibly been distributed by Sony for over a year now.

Regardless of who wrote it, Sony is still the one who deliberately distributed millions of CDs containing this malware. They should have done due diligence on their own product before shipping. They've supposedly stopped making CDs with XPC, but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again. Instead, they've done practically nothing (except some basic CYA by halting further production) and practically promised that they'll be trying this again in some form in the future. Hardly sounds like an 'innocent' party.

Sony certainly deserves to get their collective ass handed to them. Its just a shame it will have to happen through lawsuits and consumer boycotts, as you'd think they would learn not to abuse their own paying customers. I guess not.

P.S. Screw you Sony, your products, warranties, and service have been crap for years, but now I will actively avoid anything to do with you.

Re:Stranger and stranger

"but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again."

Actually, it appears that they *do* plan to offer replacement discs [sonybmg.com]. I tried to post this to the main page (a fairly significant development, IMHO), but alas it was rejected. In other news, Mark Russinovich is declaring victory [sysinternals.com] as a result.

I'm not saying that makes everything okay... I'm just saying that they're not being *total* jerks about this (just *partial* jerks). I expect we'll see more of a response out of Sony once that large bureaucratic ball eventually does get rolling. In an organization the size of Sony, I'd bet it has quite a lot of intertia.

And no, I won't be buying any more Sony CDs... or probably anything else - just on principle.

Re:Stranger and stranger

According to both LGPL and GPL the one you get the software from is the distributor. He is the one responsible for adhering to the licenses. He can of course sue his own software provider later, but for now it's Sony that distributed the programs.

If Sony is providing the source code for the programs and restates that the software is unter GPL (thus giving you the right to modify and distribute your modification), then everything is fine between Sony and you though.

There have been several similar cases in Europe about this, and in every case the GPL has been found valid, and the violation of the license has been considered healed, if the final distributor was able to get hold of the source code and distribute this one too under GPL.

Check GPL v2.0 section 4:
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

For Sony this means: They lost the right to distribute the Program, and they will be in violation of the GPL until they start to comply with the GPL themselves (e.g. distributing the source and allowing modifications and redistribution under GPL).

First4Internet could be in BIG trouble.

The Computer Misuse Act, 1990 [opsi.gov.uk]

3.(1) A person is guilty of an offence if
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.

I think First4Internet's little toy is designed to prevent or hinder access to programs and data held in a computer, don't you? And I really doubt that their click-through EULA constitutes authorisation to do so; it was fraudulently claimed that the Software was necessary to play the music, which was a plain lie as is shown by every Linux and Apple machine that plays it just fine without the rootkit installed.

I might add that even though these discs are not available in the UK, the Computer Misuse Act still holds [opsi.gov.uk].

Anyone know if we could possibly get Inspector Knacker to take a look at these felonious fellows?

Re:First4Internet could be in BIG trouble.

I question the methodology. As far as I can tell, he's reporting which DNS servers have resolved queries for First4Internet. And he's doing it after the scandal has been all over the online news sites, all over the blogosphere and links to First4Internet's sites posted in a couple of dozen +5 comments on /.

I'd be surprised if there was a DNS server left on earth that hadn't recently handled a query for First4Internet by now.

I think the methodology is sounder than you think, the info on his page seems to indicate he didn't go by resolutions for just any F4I addresses but for addresses the rootkit used, particularly he mentions updates.xcp-aurora.com, something curious/outraged people aren't likely to try resolving for the hell of it.

In any case it's worth investigating, notice that not all of Europe is covered in red, although I'm sure the scandal has been reported there as well. There's a good possibility here that Sony has sold the CDs in the UK, and frankly it should be investigated because Sony deserves to be nailed with every law they violated for this little stunt.

Besides, has Sony ever released a list of all affected CDs yet?

The day the music died (err was killed by Sony)...

Sony CDs banned in the workplace [boingboing.net]

I've been chasing down several accounts of government agencies, companies, educational institutions and others banning the use of Sony CDs on their PCs, due to the security risks of having Sony's rootkit DRM infecting their PCs. One government ministry, Alberta Agriculture, has banned the use of music CDs altogether, since Sony is hardly the only music company crippling its CDs with sneaky, malicious software. Here are a couple examples:

It has been brought to our attention that there is significant risk to the security and the operation of UC computers in using Sony BMG produced CDs. For this reason, the use of Sony BMG produced CDs in University of Canberra computers is prohibited.

Here I thought this would only happen for "secure" workplaces. Sorta makes you feel sorry for SCO, they can't get anyone to even look at the crazy they're selling when Sony's got such a superior line of insane self-destructiveness.

Re:Stranger and stranger

Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet.

Actually, Sony were responsible for distributing the software.

That's why they're in trouble.

Re:pissing contest.

Does that meen Best Buy and Wal*Mart (and local music stores, not that I even know where those are) are (L)GPL violators too? They distributed the CDs...

Re:Stranger and stranger

Sony paid someone for a root kit to be secretly installed on people's machines. A root kit. You know, like paying a criminal to bug someone's phone. Sony damn well should have gone over that thing with a fine toothed comb, as it would have been trivial for First4Internet to get credit card numbers, access to bank accounts, corporate secrets, and anything else it wanted. Or, say, accidentally give access to that stuff to everyone in the world.

All parties involved in an illegal activity are responsible for that activity. Sony is no different.

Re:Stranger and stranger

I am not sure that I would come down too hard on Sony for this...

The GPL violations lie firmly on the shoulders of F4I. If Sony did not disassemble the code or inspect the source, they had no way of knowing.

We certainly CAN blame Sony for throwing crap DRM at us in the first place, and we can criticize their PR response to this whole mess. But we cannot blame them for GPL stuff.

And as far as the uninstall fiasco goes, Sony did not write the software, so I am sure that they do not know how to remove it. They have to rely on F4I to supply the uninstall software. But, once again, it IS their fault that they did not pull the uninstall program earlier once the security holes had been found. But Sony is a corporation, with probably 1,000 layers of management, so even that is understandable.

Nice link, guys.

That's what I get for actually trying to RTFA, I guess.

I'm suprised that the execs at Sony......

.... still have feet after shooting themselves in the foot so often.

Re:I'm suprised that the execs at Sony......

They are both to blame. Comapany A says "Since a lot of companies want DRM, we'll give them some DRM. Who cares if it's a stupid and possibly illeagal implimentation, it will make us a buttload of cash." Company B comes along and says, "That's just what weve been looking for! We have no idea how it really works, and we don't care, but you buy a great lunch and the presentation used all of our required buzzwords."

"First 4 Internet" are idiots for thinking they were more clever than several million computer geeks around the world. Sony are idiots for not throughly researching exactly what the software they licensed did, and how it did it, as well as thinking they had some right to do as they wish with someone elses property.

Re: Digital Camera Code

I wonder if it's the same code they used in their digital camera rootkit [bbspot.com].

A share of profits?

This is GPL'd code, not LGPL'd, right?

Anyway, DVD John can actually sue Sony for all *revenue* that Sony made from the sale of the CDs, if I'm not mistaken (not just profits). That would grab them where it hurts!

Re:A share of profits?

Actually I might be thinking patent infringement there. Seems like in a copyright case they could sue for statutory or actual damages if the material has been registered with the copyright office. The statutory damages might be $750 to $30,000 per infringement, but a judge can go above or below those numbers. Actual damages requires you to prove loss of income, which would be difficult in this case, since the code is distributed freely (in the sense of beer).

Re:A share of profits?

I wouldn't blame Sony too much since they're just trying to stop pirates from copying their music

*I* would. Are you seriously saying that if they committed copyright infringement to prevent copyright infringement it's ok because they're preventing copyright infringement? And that rootkitting thousands of machines worldwide is perfectly fine because "they're just trying to stop pirates"? wow! I want what you're smoking!

Re:A share of profits?

If it is GPL code then wouldn't it make the EULA unenforcable under the cannot add other restrictions clause?

Who guessed it?

I said right off the bat, that the Sony DRM package would be full of other's code. Seems to me that Sony hired some blackhats to get the job done for them. Violating the GPL is definitely the least of their worries, but just another strike against what is becoming an increasingly corrupt music giant.

Re:PS3 vs. XBOX360

I initially was going to wait for PS3 but now I am boycotting Sony and will be getting a 360 in a week or so.

Dumping PS3 in favour of 360 because you think Sony's evil is kind of similar to dumping Saruman in favour of Sauron.

Personally, I'm rather taken with that nifty new controller they're putting on the Revolution...

Re:PS3 vs. XBOX360

Who is more evil now? Sony or Microsoft?

Sony.....
Microsoft

Man- this is a tough one.

Re:PS3 vs. XBOX360

"Who is more evil now? Sony or Microsoft?"

Microsoft installed more rootkits: Windows XP.

Isn't that doubly illegal?

They've simultaneously violated DVD Jon's copyright on his code, and (in distributing it in the USA) violated the DMCA to boot!

Sony ought to be in some severely deep shit here. Of course they're a corporation, so they're mostly above the law, but we should still be able to get something to stick.