Slashdot Mirror
Sony Rootkit Allegedly Contains LGPL Software
Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.
they linked it statically (apparently the rootkit consists of a single exe), so no.
No. You can link LGPLed software with proprietary software, but you must still distribute the sources of at least the free software (free as in RMS).
There's a hidden treasure in Python 3.x: __prepare__()
According to the EFF.
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.
That being said, from what I've read it appears that the Sony DRM code may be looking for LAME on the system (to block it from working on their 'protected' stuff) but doesn't appear to actually contain LAME code.
PHEM - party like it's 1997-2003!
Just minutes before heading over to Slashdot I read this which concludes that while Sony's software does contain some of the LAME tables, it doesn't seem to use them.
Not neccessarily.
The LGPL allows linking of proprietary software against Free libraries, however you must provide source code for the Free library or a means of getting it and you must "give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License." In addition "You must supply a copy of this License" (the LGPL.)
The question is if they linked against LAME or just pulled out a pattern string, and at what point it becomes "use" of the library. They still ought to have complied with the LGPL to be on the safe side if you ask me though.
The gist of it is that you can't statically link in the LGPL libraries into your application. You can only dynamically link the library. Even so, you have to give attribution that you use the library, and provide that library's source and object files on demand.
I wonder if someone has made a request to the software firm that wrote the software originally? Because the code is statically linked, they will of course have to make their entire software source available - if I understand this right.
Small clarification - you're not freed from the requirement to make the code for the lgpl portion available. You don't have to make the source code for the program that links against the LGPL code available.
No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.
Inconceivable!
The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.
Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.
-- Matti Nikki
If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL.
.o files (also the closed ones). AFAIK, Loki did this for statically linked, closed-source, SDL-based games.
Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all
Apparently there are still enough people who don't understant the (L)GPL. The LGPL was created to allow poeple to use code from GPL applications as long as they only use it as a library. Which frees them from the need of redistributing their *own* code. Even with the GPL you are NOT required to distribute the code along with the binary. The only abligation that you have is to make it available upon request. But this is not the same. Even under the GPL I would be perfectly ok if I distribute a linux system, without giving MY customers the sourceode, as long as they don't ask for it. If my client is happy, why bother? And of course, then I would only have to give the sourcecode to MY clients and not everybody else as well.
It's important to remember that "copy-right infringemnt" != "stealing", and if people on /. can't keep this straight, how can anyone expect Joe Public to keep it straight?
This is as much a PR battle as a legal battle, and any succesful commercial organisation knows a thing or two about marketing/spin. And obviously judging by the crap they _sell_ (read push-on-consumers) as music and art, the *AA's must be succesful marketers.
If you think imaginary property and real property are the same, when does your house become public domain?
You still can statically link as long as the user is able to replace the LGPL parts of the code. So, say, you distribute object format binaries of your proprietary code, or you release your own code on other open-source non-GPL license (like the new one from Microsoft, "you can read, you can compile, you're not allowed to edit"). Generally the gist is that the LGPL part of your code must remain Free to anyone you give/sell your software to, and the proprietary part must not stand in the way to that Freedom.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
<sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>
The GNU General Public License and the GNU Lesser General Public License have an operating system exemption. The exact wording of the exemption in both licenses is as follows:
True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.
Regarding GO.EXE, it's a cockup. I've posted a few other posts here explaining the real situation. LAME along with some other LGPL code is being used in other binaries on the DRM, I couldn't initially find them since they're compressed in XCP.DAT on the cd but they get installed on the system.
-- Matti Nikki
Posted on Thursday, November 10 @ 11:44:47 CET by brenno
GNU / GPL (Copyleft) The spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.
It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license.
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.Sony complied with non of these demands, but delivered just an executable program. A computerexpert, whose name is known by the redaction, discovered that the cd "Get Right With The Man" by "Van Zant" contains strings from the library version.c of Lame. This can be conluded from the string: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 ".
But the expert has more proof. For example, the executable program go.exe contains a so called array largetbl. This is a part used in the module tables.c of libmp3lame.
This discovery can have far-stretching consequences for the music giant, who claims only to protect copyrights. Previously, judges in Germany already forced various companies to release source code to the public and to deliver the goods necessary for compiling. It is also possible to demand financial compensation for damages.
Meanwhile, Other details are also becoming clear. The Electronic Frontier Foundation complains that the spyware makes the legal listening to the music on iPods impossble. The organisation is busy making a list of cds containing the hidden software and publishes this on her website.
Various calls to SonyBMG remained unanswered despite promises to call back.
But as it is, their competitors (well, competitors in a sense) are going to remove the rootkit for us.
... However, the source code has not also been
distrbuted, hence breaching the license. Here is an english translation of the page....
sigh,FYI. BoingBoing have compiled a comprehensive timeline of events surrounding this: http://www.boingboing.net/2005/11/14/sony_anticust omer_te.html
Incite ICT - IT Support London
LGPL requires access to the source code. The only difference with GPL is that LGPL allows linking with non-free (non-?GPL) components.
MOD THE CHILD UP!
I believe you should shut up, stop relying on hearsay and read the license. Section 4 most clearly states:
http://en.wikipedia.org/wiki/Mpg123
"The license of the mpg123 player is GPL and the license of the mpglib inside the mpg123 package is LGPL."
Or is wikipedia wrong...
Not that it lessens their tresspass, but Sony is apparently pulling the "infected" CDs:y /2005-11-14-sony-cds_x.htm
http://www.usatoday.com/tech/news/computersecurit
Jerry
http://www.cyvin.org/
That's outdated. mpglib was relicensed under LGPL some years ago already, check www.mpg123.de
-- Matti Nikki
It is. It's called Righteous Babe records.
Really? From the BBC yesterday,
http://news.bbc.co.uk/1/hi/technology/4434852.stm
Note the words "may be". Copyright law is funny. Using things that are necessary to interoperate (e.g. simple definitions of constants and function prototypes) is not a problem from a copyright perspective (c.f. "scenes a faire"). If there's only one way to express an idea (e.g. "errno.h", which maps POSIX specified numbers to POSIX specified constant names), it's called "merger" and is not subject to copyright.
Now, if the header file contains substantial code in its own right, either in the form of code that compiles or just macros, it's possible that a case might be made that the resultant object file might be considered a derived work (though note that the other source code is expressly not).
Indeed, there might be a case to be made that dynamic linking doesn't create a derived work, and that would make the GPL legally equivalent to the LGPL. But no one's tried to make that case in a court yet.
PHEM - party like it's 1997-2003!
First off all, neither the GPL nor the LGPL require you to DISTRIBUTE the source code. They both require you to grant access to the source code.
The LGPL does not require you to give anyone access to the non-free parts you linked with it. Only if you modify the library itself you are required to give access to the sources of said library, not to the source of the program you link with that library.
So I don't see why Sony is violating the LGPL here. As you can download the LGPLed library from sourceforge, its freely accesssible, no?
angel'o'sphere
P.S. I did not buy CDs since years and since iTunes I don't need any CDs anymore anyway.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Isn't the LAME encoder an MP3 encoder that still needs to be licensed from Thompson?
In short, No!
Longer version: According to Dave Arland, a U.S. spokesman for Thomson Multimedia - 'its policy has always been to allow free use of the company's MP3 patents in "freely distributable software"'
Newsforge Article
-- Andy Jeffries Scramdisk for Linux (Change the orgy to org to reply)
Depends on the location. Muzzy lives in Finland, where a consumer has a limited right to reverse-engineer software they have legally received. This right is also non-contractable, so you can't give this right away in a contract, the part of the contract that holds limitations to reverse-engineer is invalid.. Also a common lawyers' opinion is that EULAs don't hold yet no one has tested them in court. Seems to me that companies' lawyers consider the EULA invalid too. After the money has changed hands you can no longer place new limits to the use of a product.
Now that Muzzy has the facts that were obtained legally, using them is free. You can't violate an EULA by reading a website criticizing the software.
?SYNTAX ERROR
Because he's not alone? Lots of retards have modpoints.
Read, refresh, repeat.
This google cache link seems to imply that LAME code was indeed used. The presence of an internal data structure contained within LAME source code was present in the executable go.exe. I'm willing to bet there is enough evidence to get a copyright suit started. It would be so ironic.
The RIAA Radar says she is clean! Unfortunatly it's a POST form so no direct link to the results.
Since LAME violates several mp3 patents, besides the obvious LGPL violations (if they are distributing LaME, which is disputed) Sony is violating several more people's rights. LAME is ONLY available for non-commercial, educational use. This would be a glaring violation (hence the reason that few distros ship (especially free ones) with mp3 support (legally)).
You are way off. "Fair use" isn't a specific law, it is a set of factors that must be considered in a copyright infringement case. Read up on it. You can't definitively say "there's no fair use law covering this" because fair use is non-specific. It's a huge grey area.
Bogtha Bogtha Bogtha
No, its not cut and dry like that.
In court, damages would be determined based upon the length of time when you were told you were in violation, and when you decided to correct this behavior.
If you were warned that you were in violation, today, and correct the violation in a week, or stop distributing the code in a month (as soon as reasonably possible) damages would be 'negligible'.
If you were warned that you were in violation, then ignored it indefinitely, until the matter was brought up in court, that would be considered willfully infringing. There would be damages, but of a limited amount, and an injunction against you for this kind of behavior.
If you were warned that you were in violation, then you denied it, then you tried to disprove it, then you counter-sued, then you ignored it, attempted to settle, caused settlement negotiations to break down, filed to have the hearing moved to a different jurisdiction, etc etc, the court could be persuaded to lean towards the '$100,000 per CD copyright fine'.
The court is given a fair amount of leeway in deciding this kind of thing. Behave badly, and unless you have a crack legal team, you'll get slapped. Judges, regardless of whether they are right wing or left wing have a _very_ serious sense of fairness. Fuck with some one in a willful way, and play with them in court to prolong your profiteering, and a judge _will_ come down on you hard.
Hilariously, this seemed to work too well for Microsoft. They got the judge so damn pissed off that had to reverse his decision. In my opinion, however, you'll never see this happen again. No judge will make the kind of comments that were made in that case.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
And you're at Score:3, Insightful. The ultimate irony!
You have to make-sure-it-stays-there. And thats not enough.
You also have to let people request it by mail charging only a minimal fee.
These are DISJUNCTIVE positions. You only need to do one, not all of them.
Saying "we have used unmodified versions of the LGPL library XY, and that you can obtain them from the website of the project which was at __url__ as of __date__"
*IS* sufficient. The automatic requirement to redistribute the LGPLed code is not included anywhere in the LGPL code. Were it, it would say that you must redistribute the source code for the LGPL project if you release binaries.
This is not the case. If you haven't made any changes to the LGPL code, then there is no reason to redistribute the source code, and there is no REQUIREMENT either.
I am unamerican, and proud of it!
Two hours research on various Windows Developer mailing lists will reveal all the answers needed to homebrew your own rootkit, if you have a little bit of savvy. My point is that concealing Windows' numerous design flaws in the hopes of obscuring the many ways to exploit them is not security. Besides, if you think Windows rootkit source isn't already being traded on IRC by many, you are truly naive.
Even the methodology used by the sysinternals dude, of analyzing the kernel call vector to find the rootkit (by locating addresses pointing outside of the kernel) is nowhere near bulletproof. We're coming up on the 5th inning of the apocalypse of Windows. Soon a Mac will look cheap when you compare it to the time consuming weekly reformat/reinstall cycles that lie just beyond the horizon.
cat