Slashdot Mirror

← Back to Stories (view on slashdot.org)

DVD Jon's Code In Sony Rootkit?

Posted by Zonk on from the when-will-it-end dept.

An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."

8 of 585 comments (clear)

  1. Re:Wow. Just WOW. by iainl · · Score: 5, Informative

    The string is there because it's part of DVD Jon's code for stripping the DRM out of iTunes files, but yes - it's there all right. Matti Nikki points out the relevant offset in the article.

    --
    "I Know You Are But What Am I?"
  2. Sony's apology by RandoX · · Score: 5, Informative

    Get it here.

  3. Re:Wow. Just WOW. by Sam+H · · Score: 5, Informative

    I have to make sure everyone understands why this string is here. To be fair with Sony (or whoever they mandated), it is not an attempt from them to hide the code theft. Rather, it is an attempt by Apple to prevent not only code theft but also clean-room reimplementations.

    Apple's encryption scheme includes the generation of a key. The important parts of this key come from the machine's unique hardware information. But to prevent (at least that's my only plausible explanation for it) people from reimplementing the scheme by using the same information, they also add this copyright string to the key generation. Reimplementing their protocol means the string has to be used.

    We just store it ROT13'ed in VLC because it would be confusing to have an Apple copyright in our code. Although technically the string itself is created by Apple, it is too short to qualify for copyright.

    --
    God, root, what is difference ?
  4. The day the music died (err was killed by Sony)... by Thud457 · · Score: 5, Informative
    Sony CDs banned in the workplace

    I've been chasing down several accounts of government agencies, companies, educational institutions and others banning the use of Sony CDs on their PCs, due to the security risks of having Sony's rootkit DRM infecting their PCs. One government ministry, Alberta Agriculture, has banned the use of music CDs altogether, since Sony is hardly the only music company crippling its CDs with sneaky, malicious software. Here are a couple examples:

    It has been brought to our attention that there is significant risk to the security and the operation of UC computers in using Sony BMG produced CDs. For this reason, the use of Sony BMG produced CDs in University of Canberra computers is prohibited.

    Here I thought this would only happen for "secure" workplaces. Sorta makes you feel sorry for SCO, they can't get anyone to even look at the crazy they're selling when Sony's got such a superior line of insane self-destructiveness.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  5. Mainstream spin by resprung · · Score: 4, Informative

    Didya notice... the spin that - possibly - Sony has managed to put on the story

    CNN Europe and other mainstream media providers carried it like this:

    The trouble with the Sony software is that it makes your computer VULNERABLE TO VIRUSES.

    The mainstream spin is that the Sony software just opens the door to the bad guys. The word "rootkit" is not offered.

    It makes out as though Sony blundered and issued some insecure software, and how big a deal is that?

    This story deserves to grow and become a defining moment, but there's a long way from the tech community to the mainstream media.

    --
    Now is the winter of our disco tent
  6. And BTW... by Pakaran2 · · Score: 4, Informative

    He knows

  7. Re:Stranger and stranger by Sique · · Score: 4, Informative

    According to both LGPL and GPL the one you get the software from is the distributor. He is the one responsible for adhering to the licenses. He can of course sue his own software provider later, but for now it's Sony that distributed the programs.

    If Sony is providing the source code for the programs and restates that the software is unter GPL (thus giving you the right to modify and distribute your modification), then everything is fine between Sony and you though.

    There have been several similar cases in Europe about this, and in every case the GPL has been found valid, and the violation of the license has been considered healed, if the final distributor was able to get hold of the source code and distribute this one too under GPL.

    Check GPL v2.0 section 4:
    4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

    For Sony this means: They lost the right to distribute the Program, and they will be in violation of the GPL until they start to comply with the GPL themselves (e.g. distributing the source and allowing modifications and redistribution under GPL).

    --
    .sig: Sique *sigh*
  8. Re:Very Dangerous Reasoning by lpevey · · Score: 4, Informative

    Product liability law is a bit different from standard negligence law. If liability can be attached, the law specifically allows claimants to recover damages from any part of the supply chain, not just the manufacturer or original supplier. I.e., even Best Buy could be held liable. This common law feature is called strict liability of torts, I think, and probably evolved to prevent passing of the buck.