Slashdot Mirror
Sony Rootkit Allegedly Contains LGPL Software
Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.
now I feel more and more justified for not buying any music until the music industry stops suing their customers.
I read about this story days ago. I was hoping it wouldn't get lost. In a way this is even bigger than the root-kit story. You've got to love the irony of stealing code to create a DRM infested ripper!
If someone says he and his monkey have nothing to hide, they almost certainly do.
they linked it statically (apparently the rootkit consists of a single exe), so no.
No. You can link LGPLed software with proprietary software, but you must still distribute the sources of at least the free software (free as in RMS).
There's a hidden treasure in Python 3.x: __prepare__()
According to the EFF.
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.
I will admit I haven't read the license, but I could have sworn that I have no obligation to distribute the source of software I write using LGPL-licensed libraries. I thought I could freely distribute software using them them for any purpose even if I was distributing binaries only of my proprietary software.
In fact, I thought that was the whole difference between the GPL and LGPL.
Did I get this wrong, or is this a non-story?
D
IANAL, but I think this is no-case. The code isn't included as executable, but as metadata usable in identifying LAME. Same as antivirus vendors shouldn't be kept liable for installing millions of viruses and copyrighted code from multiple spyware programs, just because the antivirus contains sniplets of the original code used in identifying the threats. They don't link the code against the program, but include pieces of it as non-executable data for the database. It's fair use. Same as you'd sue Google for copyright infringement because they include a sniplet of text from your website in their search results, or a thumbnail of your copyrighted image in image search.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Someone should send a takedown notice to the Sony corporation.
That being said, from what I've read it appears that the Sony DRM code may be looking for LAME on the system (to block it from working on their 'protected' stuff) but doesn't appear to actually contain LAME code.
PHEM - party like it's 1997-2003!
Just minutes before heading over to Slashdot I read this which concludes that while Sony's software does contain some of the LAME tables, it doesn't seem to use them.
Not neccessarily.
The LGPL allows linking of proprietary software against Free libraries, however you must provide source code for the Free library or a means of getting it and you must "give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License." In addition "You must supply a copy of this License" (the LGPL.)
The question is if they linked against LAME or just pulled out a pattern string, and at what point it becomes "use" of the library. They still ought to have complied with the LGPL to be on the safe side if you ask me though.
According to the report I read, the Sony rootkit doesn't contain any of the code from the LAME libraries, just a couple of tables. No-one seems to be quite sure why they'd do this - the two popular theories seem to be that either it's a cockup (they didn't really mean to include the tables) or it's part of some LAME-detection system. The evidence is probably on the side of the former given that the tables don't actually seem to be used at any point.
This probably is copyrightable data, but it appears to be use on a par with that occurring in spyware detection, as reported in the last news item.
Disclaimer: I'm not the techiest person in the world - if I've made a mistake please tell me.
For the love of God, please learn to spell "ridiculous"!!!
Small clarification - you're not freed from the requirement to make the code for the lgpl portion available. You don't have to make the source code for the program that links against the LGPL code available.
No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.
Inconceivable!
If they'd gone Open Source from the start with their rootkit, the community could have contributed bug fixes and improvements. Even their competitors could have gotten involved, resulting in a truely powerful bug-free rootkit for use by everyone.
One line blog. I hear that they're called Twitters now.
Its beautiful. I've always thought that the corporate war on their customers over intellectual property would turn when someone went too far. All of a sudden the main stream media would wake up and finally get it. Well, now its happened. The media is all over the story and Sony, bless their hollow little heads, just keep digging. I'm sure I'm not the only one who was shocked but not suprised at the news Sony or Level 4 have broken the LGPL. They are staggering around like a pummled prizefighter, bleeding on everything. There's going to be more blood before this is over. Besides the $billion or so it will cost Sony to clean up the mess, others will have some 'splainin to do. Like the anti-virus companies, like Microsoft, like the other music companies.
I knew something was up when I saw that Aibo perched at my keyboard when I woke up this morning.
Next thing you know, they'll be after our precious bodily fluids.
The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.
Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.
-- Matti Nikki
Next thing you know they'll buy SCO.
"Open the pod by doors, Hal" > "I'm afraid I can't do that, Dave" sudo "Open the pod bay doors, Hal" > alright
If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL.
.o files (also the closed ones). AFAIK, Loki did this for statically linked, closed-source, SDL-based games.
Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all
- Sony rootkit eats kittens?
- Sony rootkit throws momma from the train?
- Sony rootkit spawns Darth Vader?
- Sony rootkit deflates tires of soccer moms?
- Sony rootkit steals cookies from girl scouts?
- Sony rootkit cheats at final exams?
- Sony rootkit pours hot grits down Natalie Portman's pants?
While I'm not concerned about wether it's legal or not (Sony will argue that same 'fair use' clause that they're trying to demolish), I think one of the major differences here is that Viruses and Spyware don't serve legitimate purposes.
Lame, on the other hand, is used in all kinds of software and by all kinds of people for legitimate reasons. If you're scanning for and disabling the engine on someones work PC for instance, you can end up crippling a musicians recording studio that they use for their own work, or breaking someones home video studio or something.
Legal, yes, but totally irresponsible all the same.
So it is not only LPGL, but also the more strict GPL. This is of coarse all meaningless if nobody from the mpg123 project steps out and tells sony to go with the license.
It's important to remember that "copy-right infringemnt" != "stealing", and if people on /. can't keep this straight, how can anyone expect Joe Public to keep it straight?
This is as much a PR battle as a legal battle, and any succesful commercial organisation knows a thing or two about marketing/spin. And obviously judging by the crap they _sell_ (read push-on-consumers) as music and art, the *AA's must be succesful marketers.
If you think imaginary property and real property are the same, when does your house become public domain?
Baz
[1] in some lawyers opinion.... see http://en.wikipedia.org/wiki/LAME for info.
The fact that sony has chosen to violate a license agreement is entirely consistent with the motion picture and music industry standard operating procedures. The only rights they acknowledge are their own. For someone else to assert their rights, would be considered meerly cheeky. Look at the Buchwald case, record industry and movie industry accounting practices.
In short if you look at this from the perspective that these people feel that they own YOUR right to enjoy entertainment, it all becomes very consistent.
<sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>
The GNU General Public License and the GNU Lesser General Public License have an operating system exemption. The exact wording of the exemption in both licenses is as follows:
True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.
...not its CDs. They have done more to damage their image and profits with this story than they would have saved by installing its spyware.
I also feel sorry for the poor chap who buys Ricky Martin, Neil Diamond or Celine Dion CDs, I really do.
Sony should have some kind of disclaimer about installing its bad software, maybe a 'Spyware Advisory' sticker? It is only fair.
He who knows best knows how little he knows. - Thomas Jefferson
This is all so ridiculous. It's not like Sony even asks the user if they want this crap installed. Where would they even put the copyright notice? Of all the underhanded nonsense...
Laws do not persuade just because they threaten. --Seneca
That only concerns GO.EXE, and while the analysis is correct for that executable, I checked for LAME references against every binary in the compressed XCP.DAT file after I managed to unpack it (thanks to freedom-to-tinker.com guys for providing description of the format). Turns out, there's more binaries including references to LAME, and this time there's actually code that uses the data as well. And not just LAME, there's also Id3lib included in one dll, and bladeenc and mpglib distributed along with the DRM. All of this is LGPL, it's code, and it's being used.
-- Matti Nikki
If you don't distribute the source, you have to make a written offer, valid for at least 3 years, blah blah blah.
Regarding GO.EXE, it's a cockup. I've posted a few other posts here explaining the real situation. LAME along with some other LGPL code is being used in other binaries on the DRM, I couldn't initially find them since they're compressed in XCP.DAT on the cd but they get installed on the system.
-- Matti Nikki
Posted on Thursday, November 10 @ 11:44:47 CET by brenno
GNU / GPL (Copyleft) The spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.
It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license.
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.Sony complied with non of these demands, but delivered just an executable program. A computerexpert, whose name is known by the redaction, discovered that the cd "Get Right With The Man" by "Van Zant" contains strings from the library version.c of Lame. This can be conluded from the string: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 ".
But the expert has more proof. For example, the executable program go.exe contains a so called array largetbl. This is a part used in the module tables.c of libmp3lame.
This discovery can have far-stretching consequences for the music giant, who claims only to protect copyrights. Previously, judges in Germany already forced various companies to release source code to the public and to deliver the goods necessary for compiling. It is also possible to demand financial compensation for damages.
Meanwhile, Other details are also becoming clear. The Electronic Frontier Foundation complains that the spyware makes the legal listening to the music on iPods impossble. The organisation is busy making a list of cds containing the hidden software and publishes this on her website.
Various calls to SonyBMG remained unanswered despite promises to call back.
The more I think about it, it really smells of dissention from within.
Either that or it looks to me like this is a mix of business people not understanding their market, customers, or technology and sloppy code work. I mean, what asshat would grab some open source code and not adhere to the license? It is either a tremendous faux pas on Sony's part, or there was some intentional act here to make this as reprehensible as possible.
Sort of like watching the music industry test the waters on this sort of thing and finding them extremely chilly.
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
http://bash.org/?577451
Too bad. I've certainly wanted to be able to execute a lot of the music that's published today.
One line blog. I hear that they're called Twitters now.
I was confused and under that impression too, so I read the LGPL license. It doesn't require you to submit the source code, but it does require the machine readable object code to be released so that people can link it with the library themselves. It also requires that the fact the library is being used be clearly stated, and the LGPL license text included with the distribution.
Warning: Opinions known to be heavily biased.
First of all it seems that there is more than just LAME in there: http://hack.fi/~muzzy/sony-drm/
Second of all, am I the only one who finds it ironic that a DRM program designed to protect someone's copyrighted information is itself infringing on someone's copyright? I guess if Sony wants to fight those evil copyright violators they should start by putting themselves in jail.
IANAL, but judging from the RIAA's press releases when they sue grannies and kids, it's per copy and per work. So let's do the math. 20CD * 1 million copies each * $150,000/copy = $3 trillion dollars. That's if there's only 1 work on each copy. If they also infringed on several other projects, then you would have to multiply the damages accordingly.
$sys$README ?
Why would Sony include LAME (or parts of it) in with this rootkit? LAME is just a mp3 encoder.
Unless Sony wanted high quality mp3's made from the CD (which I seriously doubt for some strange reason), I don't get why they would put it in there.
It isn't like LAME has any DRM itself. Far from that.
Anyone have any ideas?
Maybe it was planned to upload the source later through their backdoor.
FYI. BoingBoing have compiled a comprehensive timeline of events surrounding this: http://www.boingboing.net/2005/11/14/sony_anticust omer_te.html
Incite ICT - IT Support London
I know it causes me significant pain ...
I talk about stuff.
LGPL requires access to the source code. The only difference with GPL is that LGPL allows linking with non-free (non-?GPL) components.
MOD THE CHILD UP!
I believe you should shut up, stop relying on hearsay and read the license. Section 4 most clearly states:
Sony may claim to be looking for LAME. If so, they are using copyrighted samples to do it.
Since Sony already argues against fair use of samples, one need only supply the court
with Sony's own arguments against fair use.
1. It seems that Sony has not actually included any executable code from LAME, only some data, which is likely used as a signature, to determine if you have LAME installed and are using it to rip MP3s. This is likely fair use, not wholesale copyright violation, as far as LAME and the LGPL are concerned.
So the interesting question is: what does the rootkit do when it detects LAME on your hard drive? Does it disable or corrupt LAME? Does it phone home? Does it automatically initiate an RIAA lawsuit?
*This* is what I think the next Sony class-action lawsuit should be about. I doubt there is enough grounds to get them on an LGPL copyright infringement suit.
2. Muzzy points out that the Sony uninstaller installs a "safe for scripting" Active-X control with remotely exploitable entry points for rebooting your machine and possibly for installing arbitrary code on your machine. More fuel for the tasty class action suits that are starting up.
3. Sony has done so many evil things with the rootkit fiasco (and we haven't discovered them all yet); the outrage is spreading, and it may lead to a major backlash against the whole industry practice of distributing corrupted CDs in the name of DRM. Here's hoping for a brighter tomorrow.
Doug Moen.
I have written a truly remarkable program which this sig is too small to contain.
Disclaimer: I'm a Sony employee, and I strongly disapprove of the rootkit DRM stuff in a completely unofficial not-representative-of-the-company way ;)
But it's worth mentioning at this point that Sony didn't develop the software in question here - the XCP software was developed by First4Internet.
Not being a lawyer, or particularly knowledgable about (L)GPL terms, who could be held liable when a piece of software is developed by one party, but distributed by another? Is ignorance a defence, for instance if Sony said "We didn't know it had unlicensed code!", how would that affect things?
Game dev and music blog
Not that it lessens their tresspass, but Sony is apparently pulling the "infected" CDs:y /2005-11-14-sony-cds_x.htm
http://www.usatoday.com/tech/news/computersecurit
Jerry
http://www.cyvin.org/
That's outdated. mpglib was relicensed under LGPL some years ago already, check www.mpg123.de
-- Matti Nikki
Hmm I can't imagine why Sony wouldn't want to deliver their Rootkit back to the open-source community... Let's look at it this way, Sony broke the law by distributing the rootkit at 'DRM software' then they apparently broke the law again by not redistributing their source that they modified from an LGPL project to make the rootkit. I know this is wrong, but I am glad that they didn't give back to the open-source community on this one. I mean, source code to make a rootkit that could infect all the Windows systems out there being freely distributed under the LGPL is enough to make me sick. A worm has already been written without the source code. Just imagine how many rootkit varients would be floating out there if this were open source. Yikes!
If anything, the rootkit makers are responsable of the LGPL violation (if that's proved). Saying Sony is off the hook because they licensed the rootkit from a third party is like saying Smith & Wesson is the responsable if i pick a gun and shoot someone.
If they choose XCP knowing how it works (and what it would do), they're guilty. If they choose it unknowingly, they're incompetent. They're responsable either way.
So is the Slashdot crowd going to complain and moan about Sony being a servant of the devil, and then happily go to Best Buy and get ther shiny new PS3?
Suppose the case settles for 10% and the lawyers take 90%. That leaves $750 per CD-ROM for the mpg123 developers. Now think about how many CD-ROMs have been produced.
Oh, what I'd give to have Sony infringe my open source project! The mpg123 developers are some lucky bastards for sure. I need to learn how to write Windows multimedia software instead of just Linux system software.
don't forget the jailtime the beloved attorney general is pushing for copyright infringement...
Here's the link to comments of LAME developer tt at Slashdot Japan.
When Interware violation incident occurs,I feel like as if my own son/doughter were raped by them.But I soon realized I can't have enough power to change the situation.I prefer coding,listening music,cooking to legal action.
Similar comment was written on Journal entry.
tt also comments on tables,as more hint for searching copyleft infringement seeking;t16_5l[]@table.c & enwindow[]@newmdct.c
Note the words "may be". Copyright law is funny. Using things that are necessary to interoperate (e.g. simple definitions of constants and function prototypes) is not a problem from a copyright perspective (c.f. "scenes a faire"). If there's only one way to express an idea (e.g. "errno.h", which maps POSIX specified numbers to POSIX specified constant names), it's called "merger" and is not subject to copyright.
Now, if the header file contains substantial code in its own right, either in the form of code that compiles or just macros, it's possible that a case might be made that the resultant object file might be considered a derived work (though note that the other source code is expressly not).
Indeed, there might be a case to be made that dynamic linking doesn't create a derived work, and that would make the GPL legally equivalent to the LGPL. But no one's tried to make that case in a court yet.
PHEM - party like it's 1997-2003!
First off all, neither the GPL nor the LGPL require you to DISTRIBUTE the source code. They both require you to grant access to the source code.
The LGPL does not require you to give anyone access to the non-free parts you linked with it. Only if you modify the library itself you are required to give access to the sources of said library, not to the source of the program you link with that library.
So I don't see why Sony is violating the LGPL here. As you can download the LGPLed library from sourceforge, its freely accesssible, no?
angel'o'sphere
P.S. I did not buy CDs since years and since iTunes I don't need any CDs anymore anyway.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
forget it, my last comment I mean ...
... why should *I* distribute code that can be downloaded from sourceforge? Or other GNU distributing sites for that matter.
I see that modern versions of LGPL want that the source of the library is included with the distributed binary.
Another reason not to use LGPL code
angel'o'sphere
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
"to a website" WRONG WRONG WRONG.
t eWithSourceOnInternete AndBinaryOnDifferentSites
.spec file, or the dev-src equivalant.
If Sony don't provide the source they must make THE source available to all third parties for at least 3 years.
This is an obligation they must fulfil.
http://www.gnu.org/licenses/gpl-faq.html#Distribu
http://www.gnu.org/licenses/gpl-faq.html#TOCSourc
Merely pointing to "a website" or "the website we got it from" is not enough.
You have to make-sure-it-stays-there. And thats not enough.
You also have to let people request it by mail charging only a minimal fee.
You have to track your releases and make sure you keep the source of each release seperately so you can give people the source to the version they had.
Too many people consider only casually the obligation that the GPL puts on them. GPL is not an easy way out.
It's easy to receive GPL software because the burden is on the distributor, but you must understand and fulfil the burden when you are the distributor.
With most commercial software you pay some money before you receive it but you still have to follow the license guidelines.
Is it too often for me to say again that too many people distibute binary packages to open source software and distribute the source they compile to make the binary package but do not distribute the source to making the binary package; i.e. the
Sam
blog.sam.liddicott.com
I am seeing two issues here that are becoming clearer in the Open Source arena. One is that when there is a violation, there is not currently anyone willing to spend the huge dollars needed to litigate the issue. With Comercialware, there has always been someone with fairly deep pockets to pay an attorney to pursue the violators in court. Who is that going to be in the Open Source community? Who is making money on this stuf so that they can pay the expense of litigation when necessary? Is the 'free' trajectory shooting itself in the foot that way?
Another interesting point I see is that someone, sooner or later is going to challenge the legality of Open Source under the 'free' standard and litigate that it is tantamount to price fixing, i.e. antitrust. How long before someone challenges that the contractual language that forces someone to provide code at no cost is the same as being forced to sell it at an inflated price. The price is still fixed, whether at zero or at some other number.
These are a couple of major challenges that await open source. I hope someone gets their ducks in a row before these things come to fruition. Open Source has driven the industry in a very good direction. I would hate to see it fall because it can't support itself, financially, when and where it is needed. Justice is NOT free, in fact the costs are enormous to obtain justice. Somehow that has to be worked into the Open SOurce equation in a way that works for us all or the likes of Sony are going to kill it off.
Double-edged swords cut both ways. If the anti-virus people had access to the source code, then they would be able to block its propagation quite easily.
Je fume. Tu fumes. Nous fûmes!
The thing that people don't seem to realize is that if the GPL doesn't hold any water (and it may not), then the whole thing just collapses back to plain old copyright law. In that case, they can't copy and sell the code at all without permission from the writer.
If I write a book and release it on the internet for everybody to download for free, you still can't copy and sell it without my permission. The fact that the code is offered for free doesn't mean that the writer has given up his rights to the work. In fact it is the GPL that gives people the right to copy and sell the work, if they follow the rules outlined in it. Breaking the GPL means you don't have permission to copy and sell the works at all. It is the GPL itself that makes it legal for people to copy and sell GPLed work. Without the GPL it's just plain ol' copyright infringement.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
The people who own copyrights in lame need to go after Sony for $160K/cd that has been shipped. Perhaps they can set up a call center where Sony can call in to "settle".
Yes, I'm serious. It's time to turn this shit back around on these bastards.
Do you have ESP?
The underpants gnomes look upon you with disgust.
Isn't the LAME encoder an MP3 encoder that still needs to be licensed from Thompson?
In short, No!
Longer version: According to Dave Arland, a U.S. spokesman for Thomson Multimedia - 'its policy has always been to allow free use of the company's MP3 patents in "freely distributable software"'
Newsforge Article
-- Andy Jeffries Scramdisk for Linux (Change the orgy to org to reply)
Depends on the location. Muzzy lives in Finland, where a consumer has a limited right to reverse-engineer software they have legally received. This right is also non-contractable, so you can't give this right away in a contract, the part of the contract that holds limitations to reverse-engineer is invalid.. Also a common lawyers' opinion is that EULAs don't hold yet no one has tested them in court. Seems to me that companies' lawyers consider the EULA invalid too. After the money has changed hands you can no longer place new limits to the use of a product.
Now that Muzzy has the facts that were obtained legally, using them is free. You can't violate an EULA by reading a website criticizing the software.
?SYNTAX ERROR
This seems like a pretty good GPL test case. The irony of copyright infringement being used to develop a copyright protecting program would likely go over will with the court!
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Isn't the minimum way to comply with the GPL's (and I assume also the LGPL's) source code distribution terms to make the source code available upon request? (IE you don't necessarily have to distribute source to those users who don't want it.) So has anybody tried requesting? It's worth a shot. I don't think we've ever had open source DRM crap before.
Have you ever wondered How to Take Over
So let's do the math. 20CD * 1 million copies each * $150,000/copy = $3 trillion dollars.
What incredible irony it would be if the LAME group ended up owning Sony Corp.
Yeah, I know, not a chance in hell, but one can dream...
When information is power, privacy is freedom.
let's not forget that the rootkit would have to distribute the source code with it!
...hmmmm Nah.
Hmmm I wonder...
$sys$rootkit.cpp
$sys$rootkit.h
$sys$drm.cpp
$sys$drm.h
$sys$lgpl.txt
Any of you LAME developers reading? Please PLEASE! don't settle!
Just once, I'd like to see a major corporation wiped off the face of the earth because it violated the law. It would send a nice message to the other megacorporations. If you're going to use the law as a weapon against us, we can use it right back.
So please, talk to the EFF. I'll donate whatever I can to the legal fund.
Give me Classic Slashdot or give me death!
&sys&/rootkit/sources
I cannot tell you how many times I have found commercial software using source from open source projects. Most of the time the product has just had the front end altered, but the application is the exact same project from sourceforge.net. I have alerted many many open source developers and every time they thank me for the notification, but they are also helpless to persue the offending party.
Ummm, does anyone know how many programmers (also know as copyright holders) have code in LAME?
Because each copyright holder can sue independantly.
Oh, and in case anyone forgot the RIAA sued a college student for $97.8 Billion. SO they have absolutely no right to bitch about how supid-huge copyright infringments can get to be. Their own lawyers participated in drafting the law the stupid-ass damages.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Yea, but if First4Internet goes bankrupt, they are off the hook, and Sony is stuck with it. Indemnification is only as good as the company behind it.
I used to always think a license meant what it says, not what the hordes of Slashdot children wishes it did. Please people, GO READ THE FRIGGING LGPL!
The LGPL does not require you to distribute the source code, it only requires you to give the source code to a user who asks for it. Including the source code with the software is only one of several means to accomplish this. Has any legal user of the software asked Sony for the source code? Anyone? I thought not...
It's not that I think Sony is innocent. Hardly! But that's no excuse for hundreds of Slashdot posters to be whining about licnese terms that don't even exist.
A Government Is a Body of People, Usually Notably Ungoverned
This researcher has probed the caching on DNS servers to see how many requests are made for the www addressed used by the rootkit. He's gone a generated some nice geospatial plots of the results. The West is burning!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Is anybody else just awestruck by the delicious irony of Sony violating a licensing/ distribution agreement in an effort to prevent folks from violating theirs? This has the potential to venture into Greek tragedy territory before it's all over, folks.
You know you've hit rock bottom when even the Bush Administration has enough politcal clout to condemn your actions. Sony'd be better off if they were using this stuff to actively spy on users. That way, they could spin it as some kind of Patriot Act double-secret probationary counter-terrorism measure to prevent Al Queda pirating their content and funneling the black market proceeds to imbedded cells worldwide. That they didn't dub their root kit "the Freedom patch" was truly an opportunity missed.
So i think i'm headed out to the store to buy a couple cd's that contain this XPC rootkit crap, and hope I can get some sweet class action cash. Not that i'd ever be caught dead listening to the music, but maybe i could give them to a friend, and have them sue me for ruining their computer and valuable ($100,000,000) work. Then i can sue Sony because their cd cost me $100,000,000......fu#ck, someone just give me money.
You call it excessive, I call it ambitious.
You have to make-sure-it-stays-there. And thats not enough.
You also have to let people request it by mail charging only a minimal fee.
These are DISJUNCTIVE positions. You only need to do one, not all of them.
Saying "we have used unmodified versions of the LGPL library XY, and that you can obtain them from the website of the project which was at __url__ as of __date__"
*IS* sufficient. The automatic requirement to redistribute the LGPLed code is not included anywhere in the LGPL code. Were it, it would say that you must redistribute the source code for the LGPL project if you release binaries.
This is not the case. If you haven't made any changes to the LGPL code, then there is no reason to redistribute the source code, and there is no REQUIREMENT either.
I am unamerican, and proud of it!
Two hours research on various Windows Developer mailing lists will reveal all the answers needed to homebrew your own rootkit, if you have a little bit of savvy. My point is that concealing Windows' numerous design flaws in the hopes of obscuring the many ways to exploit them is not security. Besides, if you think Windows rootkit source isn't already being traded on IRC by many, you are truly naive.
Even the methodology used by the sysinternals dude, of analyzing the kernel call vector to find the rootkit (by locating addresses pointing outside of the kernel) is nowhere near bulletproof. We're coming up on the 5th inning of the apocalypse of Windows. Soon a Mac will look cheap when you compare it to the time consuming weekly reformat/reinstall cycles that lie just beyond the horizon.
cat
So this boils down to Sony ignoring the access control (LGPL) in place on the LAME library and commits theft of someone else's Intelletual Property in order to construct their DRM code?
If this isn't the most blatent case of a pot calling a kettle black. They should be sued under the DMCA for each CD they have sold in the US market.
It would seem this is no longer a civil matter but a criminal matter. Will this be taken as a case by the FBI?
-l