Slashdot Mirror
Sony Rootkit Allegedly Contains LGPL Software
Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.
According to the EFF.
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.
Someone should send a takedown notice to the Sony corporation.
Small clarification - you're not freed from the requirement to make the code for the lgpl portion available. You don't have to make the source code for the program that links against the LGPL code available.
No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.
Inconceivable!
If they'd gone Open Source from the start with their rootkit, the community could have contributed bug fixes and improvements. Even their competitors could have gotten involved, resulting in a truely powerful bug-free rootkit for use by everyone.
One line blog. I hear that they're called Twitters now.
I knew something was up when I saw that Aibo perched at my keyboard when I woke up this morning.
Next thing you know, they'll be after our precious bodily fluids.
The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.
Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.
-- Matti Nikki
If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL.
.o files (also the closed ones). AFAIK, Loki did this for statically linked, closed-source, SDL-based games.
Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all
- Sony rootkit eats kittens?
- Sony rootkit throws momma from the train?
- Sony rootkit spawns Darth Vader?
- Sony rootkit deflates tires of soccer moms?
- Sony rootkit steals cookies from girl scouts?
- Sony rootkit cheats at final exams?
- Sony rootkit pours hot grits down Natalie Portman's pants?
They're not stealing code, they're infringing on the author's copyrights by not respecting the license under which the code is be distributed (in exactly the same way people who "share" Sony/BMG music via p2p etc infringe on Sony/BMG's and the the artists' copyrights).
Donate free food here
<sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>
The GNU General Public License and the GNU Lesser General Public License have an operating system exemption. The exact wording of the exemption in both licenses is as follows:
True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.
That only concerns GO.EXE, and while the analysis is correct for that executable, I checked for LAME references against every binary in the compressed XCP.DAT file after I managed to unpack it (thanks to freedom-to-tinker.com guys for providing description of the format). Turns out, there's more binaries including references to LAME, and this time there's actually code that uses the data as well. And not just LAME, there's also Id3lib included in one dll, and bladeenc and mpglib distributed along with the DRM. All of this is LGPL, it's code, and it's being used.
-- Matti Nikki
The more I think about it, it really smells of dissention from within.
Either that or it looks to me like this is a mix of business people not understanding their market, customers, or technology and sloppy code work. I mean, what asshat would grab some open source code and not adhere to the license? It is either a tremendous faux pas on Sony's part, or there was some intentional act here to make this as reprehensible as possible.
Sort of like watching the music industry test the waters on this sort of thing and finding them extremely chilly.
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
This is the problem with the viral nature of the GPL and even the LGPL licenses and is why you should really consider using BSD licensed software in your DRM rootkits in the future. Screw the FSF!
IANAL, but judging from the RIAA's press releases when they sue grannies and kids, it's per copy and per work. So let's do the math. 20CD * 1 million copies each * $150,000/copy = $3 trillion dollars. That's if there's only 1 work on each copy. If they also infringed on several other projects, then you would have to multiply the damages accordingly.
$sys$README ?
FYI. BoingBoing have compiled a comprehensive timeline of events surrounding this: http://www.boingboing.net/2005/11/14/sony_anticust omer_te.html
Incite ICT - IT Support London
1. It seems that Sony has not actually included any executable code from LAME, only some data, which is likely used as a signature, to determine if you have LAME installed and are using it to rip MP3s. This is likely fair use, not wholesale copyright violation, as far as LAME and the LGPL are concerned.
So the interesting question is: what does the rootkit do when it detects LAME on your hard drive? Does it disable or corrupt LAME? Does it phone home? Does it automatically initiate an RIAA lawsuit?
*This* is what I think the next Sony class-action lawsuit should be about. I doubt there is enough grounds to get them on an LGPL copyright infringement suit.
2. Muzzy points out that the Sony uninstaller installs a "safe for scripting" Active-X control with remotely exploitable entry points for rebooting your machine and possibly for installing arbitrary code on your machine. More fuel for the tasty class action suits that are starting up.
3. Sony has done so many evil things with the rootkit fiasco (and we haven't discovered them all yet); the outrage is spreading, and it may lead to a major backlash against the whole industry practice of distributing corrupted CDs in the name of DRM. Here's hoping for a brighter tomorrow.
Doug Moen.
I have written a truly remarkable program which this sig is too small to contain.
That's outdated. mpglib was relicensed under LGPL some years ago already, check www.mpg123.de
-- Matti Nikki
"But I didn't know my Internet connection was being used by my son to download Sony BMG artists' songs!"
"I'm sorry sir but you're the owner. You owe $500,000 in damages."
They don't allow the "but I didn't know" explanation. Why should they be allowed to use it? I say try to nail them. They've done far worse to others.
So is the Slashdot crowd going to complain and moan about Sony being a servant of the devil, and then happily go to Best Buy and get ther shiny new PS3?
Not that it lessens their tresspass, but Sony is apparently pulling the "infected" CDs:y /2005-11-14-sony-cds_x.htm [usatoday.com]
http://www.usatoday.com/tech/news/computersecurit
Are they also pulling all of the infected PCs in for free repairs?
No? Then let's not help these wankers by helping to spread their desperate PR pieces.
The thing that people don't seem to realize is that if the GPL doesn't hold any water (and it may not), then the whole thing just collapses back to plain old copyright law. In that case, they can't copy and sell the code at all without permission from the writer.
If I write a book and release it on the internet for everybody to download for free, you still can't copy and sell it without my permission. The fact that the code is offered for free doesn't mean that the writer has given up his rights to the work. In fact it is the GPL that gives people the right to copy and sell the work, if they follow the rules outlined in it. Breaking the GPL means you don't have permission to copy and sell the works at all. It is the GPL itself that makes it legal for people to copy and sell GPLed work. Without the GPL it's just plain ol' copyright infringement.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.