Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Rootkit Allegedly Contains LGPL Software

Posted by CmdrTaco on from the this-keeps-getting-funnier dept.

Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.

21 of 623 comments (clear)

  1. Re:Uuuuuh by Anonymous Coward · · Score: 3, Informative

    they linked it statically (apparently the rootkit consists of a single exe), so no.

  2. Re:Uuuuuh by YA_Python_dev · · Score: 4, Informative
    Doesn't the LGPL permit this?

    No. You can link LGPLed software with proprietary software, but you must still distribute the sources of at least the free software (free as in RMS).

    --
    There's a hidden treasure in Python 3.x: __prepare__()
  3. Re:Uuuuuh by wlan0 · · Score: 5, Informative

    According to the EFF.

    This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

  4. Nope. by Dr.+Manhattan · · Score: 4, Informative
    If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL. If you dynamically link to the LGPL code (e.g. shared library, DLL) then you don't have to open up the code that links to it (this is the primary difference between the GPL and the LGPL) but if you distribute the LGPL library with your binaries, you must offer the code for the LGPL portion, too.

    That being said, from what I've read it appears that the Sony DRM code may be looking for LAME on the system (to block it from working on their 'protected' stuff) but doesn't appear to actually contain LAME code.

    --
    PHEM - party like it's 1997-2003!
  5. Re:Uuuuuh by DataPath · · Score: 5, Informative

    Small clarification - you're not freed from the requirement to make the code for the lgpl portion available. You don't have to make the source code for the program that links against the LGPL code available.

    No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.

    --
    Inconceivable!
  6. More info by muzzy · · Score: 5, Informative

    The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.

    Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/
    There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.

    --
    -- Matti Nikki
  7. Almost. by Anonymous Coward · · Score: 5, Informative

    If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL.

    Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all .o files (also the closed ones). AFAIK, Loki did this for statically linked, closed-source, SDL-based games.

  8. Re:Well, hang on a minute by Vo0k · · Score: 3, Informative

    You still can statically link as long as the user is able to replace the LGPL parts of the code. So, say, you distribute object format binaries of your proprietary code, or you release your own code on other open-source non-GPL license (like the new one from Microsoft, "you can read, you can compile, you're not allowed to edit"). Generally the gist is that the LGPL part of your code must remain Free to anyone you give/sell your software to, and the proprietary part must not stand in the way to that Freedom.

    --
    Anagram("United States of America") == "Dine out, taste a Mac, fries"
  9. "operating system on which the executable runs" by tepples · · Score: 5, Informative

    <sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>

    The GNU General Public License and the GNU Lesser General Public License have an operating system exemption. The exact wording of the exemption in both licenses is as follows:

    However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.

    1. Re:"operating system on which the executable runs" by maxwell+demon · · Score: 4, Informative

      Moreover, the gcc runtime libraries (the only part of gcc which ends up in gcc compiled code, and therefore could affect the licensing) all have special exceptions to the GPL, so that they don't cause the programs they are linked to to be covered by the GPL.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  10. LAME is in there, just not in GO.EXE by muzzy · · Score: 4, Informative

    Regarding GO.EXE, it's a cockup. I've posted a few other posts here explaining the real situation. LAME along with some other LGPL code is being used in other binaries on the DRM, I couldn't initially find them since they're compressed in XCP.DAT on the cd but they get installed on the system.

    --
    -- Matti Nikki
  11. In Case Anybody's Losing Track by trentrez · · Score: 5, Informative

    FYI. BoingBoing have compiled a comprehensive timeline of events surrounding this: http://www.boingboing.net/2005/11/14/sony_anticust omer_te.html

    --
    Incite ICT - IT Support London
  12. Re:LGPL by DVega · · Score: 4, Informative

    LGPL requires access to the source code. The only difference with GPL is that LGPL allows linking with non-free (non-?GPL) components.

    --
    MOD THE CHILD UP!
  13. Re:LGPL by cow-orker · · Score: 3, Informative

    I believe you should shut up, stop relying on hearsay and read the license. Section 4 most clearly states:

    You may copy and distribute the Library [...] in object code or executable form [...] provided that you accompany it with the complete corresponding machine-readable source code
  14. It's getting pulled anyhow by confusion · · Score: 4, Informative

    Not that it lessens their tresspass, but Sony is apparently pulling the "infected" CDs:
    http://www.usatoday.com/tech/news/computersecurity /2005-11-14-sony-cds_x.htm

    Jerry
    http://www.cyvin.org/

  15. outdated info, it's LGPL nowadays by muzzy · · Score: 5, Informative

    That's outdated. mpglib was relicensed under LGPL some years ago already, check www.mpg123.de

    --
    -- Matti Nikki
  16. Re:Glee by Lisandro · · Score: 4, Informative

    It is. It's called Righteous Babe records.

  17. Re:LAME encoder by sd4l · · Score: 4, Informative

    Isn't the LAME encoder an MP3 encoder that still needs to be licensed from Thompson?

    In short, No!

    Longer version: According to Dave Arland, a U.S. spokesman for Thomson Multimedia - 'its policy has always been to allow free use of the company's MP3 patents in "freely distributable software"'

    Newsforge Article

    --
    -- Andy Jeffries Scramdisk for Linux (Change the orgy to org to reply)
  18. Re:Code vs metadata by Bogtha · · Score: 4, Informative

    You are way off. "Fair use" isn't a specific law, it is a set of factors that must be considered in a copyright infringement case. Read up on it. You can't definitively say "there's no fair use law covering this" because fair use is non-specific. It's a huge grey area.

    --
    Bogtha Bogtha Bogtha
  19. Re:Not Sony by WhiteWolf666 · · Score: 4, Informative

    No, its not cut and dry like that.

    In court, damages would be determined based upon the length of time when you were told you were in violation, and when you decided to correct this behavior.

    If you were warned that you were in violation, today, and correct the violation in a week, or stop distributing the code in a month (as soon as reasonably possible) damages would be 'negligible'.

    If you were warned that you were in violation, then ignored it indefinitely, until the matter was brought up in court, that would be considered willfully infringing. There would be damages, but of a limited amount, and an injunction against you for this kind of behavior.

    If you were warned that you were in violation, then you denied it, then you tried to disprove it, then you counter-sued, then you ignored it, attempted to settle, caused settlement negotiations to break down, filed to have the hearing moved to a different jurisdiction, etc etc, the court could be persuaded to lean towards the '$100,000 per CD copyright fine'.

    The court is given a fair amount of leeway in deciding this kind of thing. Behave badly, and unless you have a crack legal team, you'll get slapped. Judges, regardless of whether they are right wing or left wing have a _very_ serious sense of fairness. Fuck with some one in a willful way, and play with them in court to prolong your profiteering, and a judge _will_ come down on you hard.

    Hilariously, this seemed to work too well for Microsoft. They got the judge so damn pissed off that had to reverse his decision. In my opinion, however, you'll never see this happen again. No judge will make the kind of comments that were made in that case.

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  20. Re:Uuuuuh by coolgeek · · Score: 3, Informative

    Two hours research on various Windows Developer mailing lists will reveal all the answers needed to homebrew your own rootkit, if you have a little bit of savvy. My point is that concealing Windows' numerous design flaws in the hopes of obscuring the many ways to exploit them is not security. Besides, if you think Windows rootkit source isn't already being traded on IRC by many, you are truly naive.

    Even the methodology used by the sysinternals dude, of analyzing the kernel call vector to find the rootkit (by locating addresses pointing outside of the kernel) is nowhere near bulletproof. We're coming up on the 5th inning of the apocalypse of Windows. Soon a Mac will look cheap when you compare it to the time consuming weekly reformat/reinstall cycles that lie just beyond the horizon.

    --

    cat /dev/null >sig