Slashdot Mirror
Sony Rootkit Allegedly Contains LGPL Software
Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.
I will admit I haven't read the license, but I could have sworn that I have no obligation to distribute the source of software I write using LGPL-licensed libraries. I thought I could freely distribute software using them them for any purpose even if I was distributing binaries only of my proprietary software.
In fact, I thought that was the whole difference between the GPL and LGPL.
Did I get this wrong, or is this a non-story?
D
IANAL, but I think this is no-case. The code isn't included as executable, but as metadata usable in identifying LAME. Same as antivirus vendors shouldn't be kept liable for installing millions of viruses and copyrighted code from multiple spyware programs, just because the antivirus contains sniplets of the original code used in identifying the threats. They don't link the code against the program, but include pieces of it as non-executable data for the database. It's fair use. Same as you'd sue Google for copyright infringement because they include a sniplet of text from your website in their search results, or a thumbnail of your copyrighted image in image search.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
until the music industry stops suing their customers
Yes, but this time, it's customers suing them!
Write boring code, not shiny code!
However, the source code has not also been distrbuted, hence breaching the license
Uhh... Probably not going to say something popular here, but wouldn't it only violate the LGPL if they had made changes to the code and then not made those changes available?
If they just linked against it as a library, well, the LGPL exists for exactly that reason.
Not to say that I find it all that unlikely that Sony did in fact make changes (adding some other DRM, beyond the rootkit itself - Though even that, they could theoretically have done without modifying the Lame code itself), but this seems all too much like exactly what we fault SCO for.
"You used our code! Give us your changes!" "We didn't make any changes..." "Well give us the code and prove it!"
It's like a nerds wet dream. First you have an over-zealous company sabotage it's own customer's machines. Now, it turns out they are violating the very copyright laws they are trying to defend with their crapware. What next? Perhaps they'll claim they own the code in question and try to relicense it for $699, even though we all know they'll want to charge $666 for it.
After calming me down with some orange slices and some fetal spooning, E.T. revealed to me his singular purpose.
According to the report I read, the Sony rootkit doesn't contain any of the code from the LAME libraries, just a couple of tables. No-one seems to be quite sure why they'd do this - the two popular theories seem to be that either it's a cockup (they didn't really mean to include the tables) or it's part of some LAME-detection system. The evidence is probably on the side of the former given that the tables don't actually seem to be used at any point.
This probably is copyrightable data, but it appears to be use on a par with that occurring in spyware detection, as reported in the last news item.
Disclaimer: I'm not the techiest person in the world - if I've made a mistake please tell me.
For the love of God, please learn to spell "ridiculous"!!!
So it is not only LPGL, but also the more strict GPL. This is of coarse all meaningless if nobody from the mpg123 project steps out and tells sony to go with the license.
I'm sure I'm about to be proved wrong on this but....
The strings just look to be a part of a search function for various LAME versions on the users computer,
and both programmes contain an array with the highly original title of "largetbl".
"Large Table" for those non programmers amongst us.
I'd like to see a bit more evidence before I cry foul.
What I find interesting. Why the Sony Rootkit is looking for LAME in the first place?
Does it alter or break LAME in in some way if LAME is found ??
That only concerns GO.EXE, and while the analysis is correct for that executable, I checked for LAME references against every binary in the compressed XCP.DAT file after I managed to unpack it (thanks to freedom-to-tinker.com guys for providing description of the format). Turns out, there's more binaries including references to LAME, and this time there's actually code that uses the data as well. And not just LAME, there's also Id3lib included in one dll, and bladeenc and mpglib distributed along with the DRM. All of this is LGPL, it's code, and it's being used.
-- Matti Nikki
The more I think about it, it really smells of dissention from within.
Either that or it looks to me like this is a mix of business people not understanding their market, customers, or technology and sloppy code work. I mean, what asshat would grab some open source code and not adhere to the license? It is either a tremendous faux pas on Sony's part, or there was some intentional act here to make this as reprehensible as possible.
Sort of like watching the music industry test the waters on this sort of thing and finding them extremely chilly.
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
Interestingly this comment, over at groklaw, suggests that the Sony EULA restrictions on disassembly/reverse engineering may be incompatible with them distributing (L)GPL software in there.
Sony may claim to be looking for LAME. If so, they are using copyrighted samples to do it.
Since Sony already argues against fair use of samples, one need only supply the court
with Sony's own arguments against fair use.
1. It seems that Sony has not actually included any executable code from LAME, only some data, which is likely used as a signature, to determine if you have LAME installed and are using it to rip MP3s. This is likely fair use, not wholesale copyright violation, as far as LAME and the LGPL are concerned.
So the interesting question is: what does the rootkit do when it detects LAME on your hard drive? Does it disable or corrupt LAME? Does it phone home? Does it automatically initiate an RIAA lawsuit?
*This* is what I think the next Sony class-action lawsuit should be about. I doubt there is enough grounds to get them on an LGPL copyright infringement suit.
2. Muzzy points out that the Sony uninstaller installs a "safe for scripting" Active-X control with remotely exploitable entry points for rebooting your machine and possibly for installing arbitrary code on your machine. More fuel for the tasty class action suits that are starting up.
3. Sony has done so many evil things with the rootkit fiasco (and we haven't discovered them all yet); the outrage is spreading, and it may lead to a major backlash against the whole industry practice of distributing corrupted CDs in the name of DRM. Here's hoping for a brighter tomorrow.
Doug Moen.
I have written a truly remarkable program which this sig is too small to contain.
I haven't bought a CD in years. It's put a big damper on my listening to new music, but it's just not worth it to support that industry. I've heard that Ani DiFranco's label is completely independent though, so I might go buy her stuff.
Need a Python, C++, Unix, Linux develop
Disclaimer: I'm a Sony employee, and I strongly disapprove of the rootkit DRM stuff in a completely unofficial not-representative-of-the-company way ;)
But it's worth mentioning at this point that Sony didn't develop the software in question here - the XCP software was developed by First4Internet.
Not being a lawyer, or particularly knowledgable about (L)GPL terms, who could be held liable when a piece of software is developed by one party, but distributed by another? Is ignorance a defence, for instance if Sony said "We didn't know it had unlicensed code!", how would that affect things?
Game dev and music blog
Yup, that's right. The thing that kills me is that certain members of our government are busy drafting legislation that would make criminal penalties against copyright infringement harsher, including jail time. No doubt Sony is a sponsor of this bill - or at least the RIAA/MPAA, of which Sony is a member. Yet do you think that Sony would ever be concerned about holding themselves to the same standard? Would they, as a sponsor of this proposed legislation, support the CEO, CIO, chief architect, programmer, or otherwise spending some time in jail for an LGPL or GPL copyright violation?
The double standard kills me, and in cases like this where Sony's actions are quite simply audacious, I almost start to feel physical anger. I'm tired of being treated like a criminal, and it's really about time that a company like Sony be held responsible for the huge amount of personal and other violations that they have trampled on with this one single action of releasing this software.
Excuse my speling.
Making The Bar Project
I read an article a week or so back saying that the rootkit would insert spots of noise into MP3's when you tried to burn them to degrade the quality. Perhaps this is where LAME could be used? Anybody know the article I'm talking about and can link it?
>Anyone have any ideas?
:-)
Well, according to some people who have had to exorcise the demon from their windows PC, what happened after installing the rootkit is that MP3 files ripped from other CDs came back worse to wear, with noise, loss of quality and whatnot.
If that is true, you can probably connect the dots easily and see what Sony was after
---- Take the Space Quiz!
This is +5 Ironic or Insightful.
Why hasn't anyone issued a takedown notice to Sony, so they have to pull these viral CDs from the stores and issue a recall?
Saskboy's blog is good. 9 out of 10 dentists agree.
"to a website" WRONG WRONG WRONG.
t eWithSourceOnInternete AndBinaryOnDifferentSites
.spec file, or the dev-src equivalant.
If Sony don't provide the source they must make THE source available to all third parties for at least 3 years.
This is an obligation they must fulfil.
http://www.gnu.org/licenses/gpl-faq.html#Distribu
http://www.gnu.org/licenses/gpl-faq.html#TOCSourc
Merely pointing to "a website" or "the website we got it from" is not enough.
You have to make-sure-it-stays-there. And thats not enough.
You also have to let people request it by mail charging only a minimal fee.
You have to track your releases and make sure you keep the source of each release seperately so you can give people the source to the version they had.
Too many people consider only casually the obligation that the GPL puts on them. GPL is not an easy way out.
It's easy to receive GPL software because the burden is on the distributor, but you must understand and fulfil the burden when you are the distributor.
With most commercial software you pay some money before you receive it but you still have to follow the license guidelines.
Is it too often for me to say again that too many people distibute binary packages to open source software and distribute the source they compile to make the binary package but do not distribute the source to making the binary package; i.e. the
Sam
blog.sam.liddicott.com
The thing that people don't seem to realize is that if the GPL doesn't hold any water (and it may not), then the whole thing just collapses back to plain old copyright law. In that case, they can't copy and sell the code at all without permission from the writer.
If I write a book and release it on the internet for everybody to download for free, you still can't copy and sell it without my permission. The fact that the code is offered for free doesn't mean that the writer has given up his rights to the work. In fact it is the GPL that gives people the right to copy and sell the work, if they follow the rules outlined in it. Breaking the GPL means you don't have permission to copy and sell the works at all. It is the GPL itself that makes it legal for people to copy and sell GPLed work. Without the GPL it's just plain ol' copyright infringement.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
This seems like a pretty good GPL test case. The irony of copyright infringement being used to develop a copyright protecting program would likely go over will with the court!
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
This is the code should still be controlled religion. If you want to copy somebody else's work and use it for your own ends, should they not have any say over the process? If you want to avoid the "viral LGPL", stop copying other people's code. It's silly to think that you should be able to do whatever you like with somebody else's work without respecting their restrictions. Have you heard the saying: "Don't look a gift horse in the mouth"? You're getting the code for free (you didn't have to pay for it or write it yourself), so play by the rules of the giver or don't accept the gift. This really isn't that difficult.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
So let's do the math. 20CD * 1 million copies each * $150,000/copy = $3 trillion dollars.
What incredible irony it would be if the LAME group ended up owning Sony Corp.
Yeah, I know, not a chance in hell, but one can dream...
When information is power, privacy is freedom.
How about sending takedown notices to the stores selling the CDs?
---- Dave
Ummm, does anyone know how many programmers (also know as copyright holders) have code in LAME?
Because each copyright holder can sue independantly.
Oh, and in case anyone forgot the RIAA sued a college student for $97.8 Billion. SO they have absolutely no right to bitch about how supid-huge copyright infringments can get to be. Their own lawyers participated in drafting the law the stupid-ass damages.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I used to always think a license meant what it says, not what the hordes of Slashdot children wishes it did. Please people, GO READ THE FRIGGING LGPL!
The LGPL does not require you to distribute the source code, it only requires you to give the source code to a user who asks for it. Including the source code with the software is only one of several means to accomplish this. Has any legal user of the software asked Sony for the source code? Anyone? I thought not...
It's not that I think Sony is innocent. Hardly! But that's no excuse for hundreds of Slashdot posters to be whining about licnese terms that don't even exist.
A Government Is a Body of People, Usually Notably Ungoverned
This researcher has probed the caching on DNS servers to see how many requests are made for the www addressed used by the rootkit. He's gone a generated some nice geospatial plots of the results. The West is burning!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Is anybody else just awestruck by the delicious irony of Sony violating a licensing/ distribution agreement in an effort to prevent folks from violating theirs? This has the potential to venture into Greek tragedy territory before it's all over, folks.
You know you've hit rock bottom when even the Bush Administration has enough politcal clout to condemn your actions. Sony'd be better off if they were using this stuff to actively spy on users. That way, they could spin it as some kind of Patriot Act double-secret probationary counter-terrorism measure to prevent Al Queda pirating their content and funneling the black market proceeds to imbedded cells worldwide. That they didn't dub their root kit "the Freedom patch" was truly an opportunity missed.
Great, then rewrite all those awesome GPL libraries you link to and release the code under BSD. Better yet, just release it into the public domain, with *no* strings attached. Nobody's holding a gun to your head, and frankly, nobody cares what you do with *your* code. However, if you use *my* GPL'd code in your BSD-licensed program, you had better GPL your project, otherwise someone may take credit for *my* work; leaving you with one pissed-off developer hounding your ass.
No PS3 for me. This was the straw that broke the camel's back. Sony and Lucas recently destroyed SWG and I bought a Sony DVD DL/DF DVD burner that won't burn DVD+R media even though it says so on the box and I hate DRM so much it makes me want to torture the Sony Exec who made the decision in my secret prison.
Sony just lost any possibility of purchases from me. If I find out a product is affiliated with Sony in any way I will look for alternatives. They are now considered worse than Microsoft, Sun, and possibly even SCO. I don't care what you do, I'm going to boycott.
So this boils down to Sony ignoring the access control (LGPL) in place on the LAME library and commits theft of someone else's Intelletual Property in order to construct their DRM code?
If this isn't the most blatent case of a pot calling a kettle black. They should be sued under the DMCA for each CD they have sold in the US market.
It would seem this is no longer a civil matter but a criminal matter. Will this be taken as a case by the FBI?
-l