Slashdot Mirror


Sony Rootkit Allegedly Contains LGPL Software

Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.

15 of 623 comments (clear)

  1. It even has some GPL compnonets by leuk_he · · Score: 4, Interesting
    looking at the licence of lame:



    *** IMPORTANT NOTE ***

    The decoding functions provided in LAME use the mpglib decoding engine which
    is under the GPL. They may not be used by any program not released under the
    GPL unless you obtain such permission from the MPG123 project (www.mpg123.de).


    So it is not only LPGL, but also the more strict GPL. This is of coarse all meaningless if nobody from the mpg123 project steps out and tells sony to go with the license.
  2. Re:Code vs metadata by muzzy · · Score: 4, Interesting

    Wrong, it isn't used for identifying anything. The GO.EXE only contains the strings and data but it isn't used there. I wasn't able to find any code in the executable that uses the data (for any purposes), and I looked pretty hard. It's been statically linked but unused. HOWEVER, there are more binaries on the CD compressed in XCP.DAT, which get installed to the system along with the DRM crap. At least one of these binaries contain LAME code for certain. The GO.EXE might not be enough for a case, but that's just the tip of the iceberg. There's real infringement in at least one other executable.

    --
    -- Matti Nikki
  3. ... or maybe yes by muzzy · · Score: 5, Interesting

    That only concerns GO.EXE, and while the analysis is correct for that executable, I checked for LAME references against every binary in the compressed XCP.DAT file after I managed to unpack it (thanks to freedom-to-tinker.com guys for providing description of the format). Turns out, there's more binaries including references to LAME, and this time there's actually code that uses the data as well. And not just LAME, there's also Id3lib included in one dll, and bladeenc and mpglib distributed along with the DRM. All of this is LGPL, it's code, and it's being used.

    --
    -- Matti Nikki
  4. Sabotage from within? by jeffs72 · · Score: 5, Interesting
    I could see the developer who had this project fall in his lap say "this is fucking stupid, lets teach them a lesson on integrating spyware with their cds" and violating this license (which will give them a black eye) and then write it in such a way that people can easily use it as a virus/trojan vector.

    The more I think about it, it really smells of dissention from within.

    Either that or it looks to me like this is a mix of business people not understanding their market, customers, or technology and sloppy code work. I mean, what asshat would grab some open source code and not adhere to the license? It is either a tremendous faux pas on Sony's part, or there was some intentional act here to make this as reprehensible as possible.

    Sort of like watching the music industry test the waters on this sort of thing and finding them extremely chilly.

    --
    This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
  5. no excuse by r00t · · Score: 4, Interesting

    Sony may claim to be looking for LAME. If so, they are using copyrighted samples to do it.

    Since Sony already argues against fair use of samples, one need only supply the court
    with Sony's own arguments against fair use.

  6. What does the rootkit do when it detects LAME? by dmoen · · Score: 5, Interesting

    1. It seems that Sony has not actually included any executable code from LAME, only some data, which is likely used as a signature, to determine if you have LAME installed and are using it to rip MP3s. This is likely fair use, not wholesale copyright violation, as far as LAME and the LGPL are concerned.

    So the interesting question is: what does the rootkit do when it detects LAME on your hard drive? Does it disable or corrupt LAME? Does it phone home? Does it automatically initiate an RIAA lawsuit?

    *This* is what I think the next Sony class-action lawsuit should be about. I doubt there is enough grounds to get them on an LGPL copyright infringement suit.

    2. Muzzy points out that the Sony uninstaller installs a "safe for scripting" Active-X control with remotely exploitable entry points for rebooting your machine and possibly for installing arbitrary code on your machine. More fuel for the tasty class action suits that are starting up.

    3. Sony has done so many evil things with the rootkit fiasco (and we haven't discovered them all yet); the outrage is spreading, and it may lead to a major backlash against the whole industry practice of distributing corrupted CDs in the name of DRM. Here's hoping for a brighter tomorrow.

    Doug Moen.

    --
    I have written a truly remarkable program which this sig is too small to contain.
  7. Re:Code vs metadata by courtarro · · Score: 4, Interesting
    At least one of these binaries contain LAME code for certain.

    Are you arguing that the included code is being used in a way that violates Fair Use, or that simply including the code for comparison (as the grandparent argues) is not fair use? I can't imagine why Sony would need to "use" several MP3 encoders (this comment links to a list of them) to actually encode music. Thus, I would assume that Sony is including bits of code from these programs in order to prevent them from running. Is that a violation of the LGPL?

  8. Re:Glee by Omnifarious · · Score: 4, Interesting

    I haven't bought a CD in years. It's put a big damper on my listening to new music, but it's just not worth it to support that industry. I've heard that Ani DiFranco's label is completely independent though, so I might go buy her stuff.

  9. Not Sony by MaestroSartori · · Score: 4, Interesting

    Disclaimer: I'm a Sony employee, and I strongly disapprove of the rootkit DRM stuff in a completely unofficial not-representative-of-the-company way ;)

    But it's worth mentioning at this point that Sony didn't develop the software in question here - the XCP software was developed by First4Internet.

    Not being a lawyer, or particularly knowledgable about (L)GPL terms, who could be held liable when a piece of software is developed by one party, but distributed by another? Is ignorance a defence, for instance if Sony said "We didn't know it had unlicensed code!", how would that affect things?

  10. Re:Thank god! by IAmTheDave · · Score: 4, Interesting
    Not sure about the English language, but in my own we have a saying for this: "Do what I say, not what I do"

    Yup, that's right. The thing that kills me is that certain members of our government are busy drafting legislation that would make criminal penalties against copyright infringement harsher, including jail time. No doubt Sony is a sponsor of this bill - or at least the RIAA/MPAA, of which Sony is a member. Yet do you think that Sony would ever be concerned about holding themselves to the same standard? Would they, as a sponsor of this proposed legislation, support the CEO, CIO, chief architect, programmer, or otherwise spending some time in jail for an LGPL or GPL copyright violation?

    The double standard kills me, and in cases like this where Sony's actions are quite simply audacious, I almost start to feel physical anger. I'm tired of being treated like a criminal, and it's really about time that a company like Sony be held responsible for the huge amount of personal and other violations that they have trampled on with this one single action of releasing this software.

    --
    Excuse my speling.
    Making The Bar Project
  11. Re:I don't get it by Walkiry · · Score: 4, Interesting

    >Anyone have any ideas?

    Well, according to some people who have had to exorcise the demon from their windows PC, what happened after installing the rootkit is that MP3 files ripped from other CDs came back worse to wear, with noise, loss of quality and whatnot.

    If that is true, you can probably connect the dots easily and see what Sony was after :-)

    --
    ---- Take the Space Quiz!
  12. WRONG by samjam · · Score: 4, Interesting

    "to a website" WRONG WRONG WRONG.

    If Sony don't provide the source they must make THE source available to all third parties for at least 3 years.
    This is an obligation they must fulfil.

    http://www.gnu.org/licenses/gpl-faq.html#Distribut eWithSourceOnInternet
    http://www.gnu.org/licenses/gpl-faq.html#TOCSource AndBinaryOnDifferentSites
    Merely pointing to "a website" or "the website we got it from" is not enough.
    You have to make-sure-it-stays-there. And thats not enough.
    You also have to let people request it by mail charging only a minimal fee.

    You have to track your releases and make sure you keep the source of each release seperately so you can give people the source to the version they had.

    Too many people consider only casually the obligation that the GPL puts on them. GPL is not an easy way out.

    It's easy to receive GPL software because the burden is on the distributor, but you must understand and fulfil the burden when you are the distributor.
    With most commercial software you pay some money before you receive it but you still have to follow the license guidelines.

    Is it too often for me to say again that too many people distibute binary packages to open source software and distribute the source they compile to make the binary package but do not distribute the source to making the binary package; i.e. the .spec file, or the dev-src equivalant.

    Sam

  13. GPL gives rights beyond copyright law by chihowa · · Score: 5, Interesting
    Of course you're a troll, but I'll bite anyway.

    The thing that people don't seem to realize is that if the GPL doesn't hold any water (and it may not), then the whole thing just collapses back to plain old copyright law. In that case, they can't copy and sell the code at all without permission from the writer.

    If I write a book and release it on the internet for everybody to download for free, you still can't copy and sell it without my permission. The fact that the code is offered for free doesn't mean that the writer has given up his rights to the work. In fact it is the GPL that gives people the right to copy and sell the work, if they follow the rules outlined in it. Breaking the GPL means you don't have permission to copy and sell the works at all. It is the GPL itself that makes it legal for people to copy and sell GPLed work. Without the GPL it's just plain ol' copyright infringement.

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  14. Let EFF know what you think by chihowa · · Score: 4, Interesting

    This seems like a pretty good GPL test case. The irony of copyright infringement being used to develop a copyright protecting program would likely go over will with the court!

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  15. Re:So... How about them statutory damages... by Alsee · · Score: 4, Interesting

    Ummm, does anyone know how many programmers (also know as copyright holders) have code in LAME?

    Because each copyright holder can sue independantly.

    Oh, and in case anyone forgot the RIAA sued a college student for $97.8 Billion. SO they have absolutely no right to bitch about how supid-huge copyright infringments can get to be. Their own lawyers participated in drafting the law the stupid-ass damages.

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.