Slashdot Mirror
DVD Jon's Code In Sony Rootkit?
An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."
Rember, Sony purchased the rootkit from first4internet. They wrote the software that is abusing the GPL.
Most folks don't review the sourcecode of software they purchase to determine if its license-tree is clean.
Sony definitely made a truly dumb move by utilizing this DRM software (and several other dumb moves subsequently), but lets not let First4Internet off the hook either.
It's not my fault! It was this way when I got here.
From the Sony binary file:
"pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq."
ROT 13 it, and you get
"copyright (c) Apple Computer, Inc. All Rights Reserved."
You couldn't make it up, could you?
"I Know You Are But What Am I?"
Actually I might be thinking patent infringement there. Seems like in a copyright case they could sue for statutory or actual damages if the material has been registered with the copyright office. The statutory damages might be $750 to $30,000 per infringement, but a judge can go above or below those numbers. Actual damages requires you to prove loss of income, which would be difficult in this case, since the code is distributed freely (in the sense of beer).
"I have never let my schooling interfere with my education." - Mark Twain
Bear in mind that Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet. While we all should (rightfully) be pissed at Sony for including this on a bunch of their CDs, we should be equally as pissed (or moreso) at First 4 Internet for their (L)GPL violations and for making this product in the first place.
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
Isn't Sony the distributor, thus the violator of (L)GPL ?
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet.
Actually, Sony were responsible for distributing the software.
That's why they're in trouble.
I am not sure that I would come down too hard on Sony for this...
The GPL violations lie firmly on the shoulders of F4I. If Sony did not disassemble the code or inspect the source, they had no way of knowing.
We certainly CAN blame Sony for throwing crap DRM at us in the first place, and we can criticize their PR response to this whole mess. But we cannot blame them for GPL stuff.
And as far as the uninstall fiasco goes, Sony did not write the software, so I am sure that they do not know how to remove it. They have to rely on F4I to supply the uninstall software. But, once again, it IS their fault that they did not pull the uninstall program earlier once the security holes had been found. But Sony is a corporation, with probably 1,000 layers of management, so even that is understandable.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
It could just be using extracts to identify the software. I mean, why would they want LAME and DeCSS on their CDs? They have no use. We don't need an MP3 encoder because any compressed copies will be already encoded in a DRM format. They really don't need to decode iTunes songs.
If these are small segments, used for identifying and diabling the software, then the copyright defence could be fair use. And there's no way I'll say that copyright shoudl prevent this.
IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code). Not to mention, they pulled the CDs from the shelves already, which they could say coincided with the revelation of copyright violations on the discs -- ie, immediate action was action. I'm not trying to defend them or their practices at all, I'm merely looking at it from a "who can be held accountable" point of view.
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
I wouldn't blame Sony too much since they're just trying to stop pirates from copying their music
*I* would. Are you seriously saying that if they committed copyright infringement to prevent copyright infringement it's ok because they're preventing copyright infringement? And that rootkitting thousands of machines worldwide is perfectly fine because "they're just trying to stop pirates"? wow! I want what you're smoking!
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
They are both to blame. Comapany A says "Since a lot of companies want DRM, we'll give them some DRM. Who cares if it's a stupid and possibly illeagal implimentation, it will make us a buttload of cash." Company B comes along and says, "That's just what weve been looking for! We have no idea how it really works, and we don't care, but you buy a great lunch and the presentation used all of our required buzzwords."
"First 4 Internet" are idiots for thinking they were more clever than several million computer geeks around the world. Sony are idiots for not throughly researching exactly what the software they licensed did, and how it did it, as well as thinking they had some right to do as they wish with someone elses property.
That sort of defence might work for, say, a magazine cover disc that inadvertantly included a virus but not here. The inclusion of this software will have been a big thing for Sony. They will have paid to license the code from F4I and deliberately included it in their products. For them to say they didn't know what it did or that it didn't work as believed it did is no more of a defence than it would be for a car manufacturer to claim it isn't liable for it's vehicles catching fire because this is caused by a faulty fuel pump made by somebody else. Sony may be entitled to an indemnity from F4I (although when a company has shown themselves to be this incompetent I wouldn't be at all surprised if Sony forgot to demand this...) but that's a different matter (and probably worthless given the size of the mess). Where damage has been done it's been caused by a Sony product. Therefore Sony are liable. The fact they don't seem to have bothered with any sort of due dilligence on the software they were licensing which caused the damage is no defence.
Look, it's very simple: people are kicking up a fuss about this because it is hypocritical for Sony to maintain its anti-copyright-infringement stance, and attempt to take the moral high ground in this regard, if Sony itself is infringing copyright left, right and centre.
If a politically powerful, fanatical anti-drug campaigner who constantly lobbied for pot-smokers to be thrown in jail for years and fined huge sums of money were caught smoking pot, I would not be surprised to see large numbers of people demanding that he be thrown in jail and fined millions, in keeping with the laws that he himself helped establish, even if they were pro-legalisation activists who firmly believe that the laws are unjust.
It is a challenge to the legal system to treat everyone equally under the law, and thus either apply an unfair, draconian law to everyone, including powerful parties who have previously used the law against their enemies, or to concede that the law is unfair and change it.
Sony paid someone for a root kit to be secretly installed on people's machines. A root kit. You know, like paying a criminal to bug someone's phone. Sony damn well should have gone over that thing with a fine toothed comb, as it would have been trivial for First4Internet to get credit card numbers, access to bank accounts, corporate secrets, and anything else it wanted. Or, say, accidentally give access to that stuff to everyone in the world.
All parties involved in an illegal activity are responsible for that activity. Sony is no different.
The ______ Agenda
IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code).
You know, I think that this does make sense. However, this is a very dangerous line of reasoning. If you let Sony get off with no consequences for distributing stolen code, then you will never be able to prosecute any big corporatio for code copyright violations.
All a mega-corp need do is find a small, arms-length firm to launder the stolen code. Let that small firm actually steal it and then hand it on a silver platter to the mega-corp. If the mega-corp is caught, the small firm takes the hit and disappears in a puff of bankrupcy. Then mega-corp goes on to the next small firm.
If Sony truly didn't know about this, then they probably should not be liable for any statutory damages. However, they did distribute the code--which is technically a violation. Sony should be the one accountable for that violation and Sony should be able to sue First4Internet--unless of course First4Internet's license with Sony includes the standard indemnification clause like we see in most EULA's. In that case, Sony will be hoisted by their own petard--and it couldn't happen to a nicer group of people.
Walmart didn't hire those illegals, they just hired a company that employed illegals and made them live in the back of Walmart.
Bush didn't lie to the world, the CIA just enhanced a couple of reports with speculatively extrapolated contingency scenarios.
Satan isn't responsible for the fall of Man, Eve was the one who gave Adam the fruit.
Sony...naw, Sony is as pure as a freshly powdered baby's bottom.
I'd say that at least a third of the population condones non-commercial copyright infringement... The point is, when an act is accepted by a significant proportion of the population, chances are that act is ethical
So obviously Sony (or the company that wrote the code if you want to get pedantic) is right to have infringed upon DVD Jon's code.
How is this copyright infringement non-commercial? It was done for profit by an organization whose stated goal is to make money.
So it all comes down to slashdot isn't the place to go to if you want to hear intelligent debate about copyright laws.
True enough, but only because there are so many people like you don't seem able to comprehend the arguments put forth. A significant number of people infringe copyright non-commercially and that indicates that the will of the people might be that it should be legal. A significant number of people do not commercially infringe copyrights or condone it. I'd agree with that argument, as would many people. But to claim it is hypocritical is ridiculous. It is called a false dichotomy. There is no hypocrisy in believing that non commercial copyright infringement should be legal, but commercial should be illegal. There is no hypocrisy in believing our copyright system is corrupt and counter productive, but still believing a copyright system that is better designed can be useful. There is no hypocrisy in believing business and software patents are garbage, but traditional patents are a good idea. There is no hypocrisy in believing Toyota makes reliable cars but Ford does not. Please take the time to actually read and understand an argument someone puts forth before declaring them a hypocrite and ascribing a whole lot of motives to them, even though you obviously have no way of knowing them.
There are many types of copyright violations with very different types of severity:
The first type is when someone goes out and downloads a song, lets say "...And Justice for All" by Metalica they have simply avoided paying for it by getting it through illegal means. This does not equate to any directly measurable loss of revenue because when the effective price of something is lowered, people are more likely to get it. Thus it is not only likely that someone would not have bought the CD if the pirate mp3s were not available, but it is actually more likely than not. This is of cause not a wholly moral practice, but it is cirtainly not as bad as many other evils that exist in society today. These are the infractions that occur on Kazaa and the ilk.
The second type of infraction is where one duplicates the media on which intellectual property is contained and sells it themselves at an actual monitary price. This is very different since there is a very obvious minimum bounds of loss of revinue caused by this which is of cause the markup on the pirated media. Motivation also changes in this type since there is a very clear misdirection in the chain of money where the pirate gets a clear financial benifit wheras they recieve none in the first set. This type of violation is criminal in most juristictions whereas the first type is wholly civil.
The third and most severe case is where intellectual property is rebranded and its credit is misappropriated to another party. This historically has been a result of industrial espionage but today, open source software is very vulnarable to it. This is equivalant to the Kazaa casual pirate claiming that they wrote "...And Justice for All". It means that not only does the pirate get the profit for the sale of the intellectual property instead of the legal creator, but those who are convinced to use this thing in future by seeing the rebranded thing will never go to the real author to get a copy for themselves. In either of the previous two types there is a likelyhood that the author will eventually get money or whatever they are looking for (usually an ego boost in the case of OSS) but in the third type this is not the cause. This is a far more thorough missapropriation of this IP and thus the term "stealing" is far more appropriate.
The reason that these three types are so neatly ranked is that as you can see, each one is a subset of the type before. Not everyone gets annoyed by violations every layer since OSS doesn't mind first or second type occuring but hates the third kind. SUN doesn't mind the first type occuring but hates the second and third with Java. Public domain doesn't mind any of the three. But no one will let one layer slide that is above something that annoys them.
This case with sony is clearly not a third type violation (which I would call stealing) but is a second type (which I would call piracy) since Sony did not claim to write this software or even advertise its existence. The GPL says you can do second type scenarios on the condition that you distribute the source code. Sony redistributed this IP for money but did not distribute the source code AFAIK so they voilated the rules on this level. This puts them on par with sleezy bootleg vendors on street courners and ebay pirate CD vendors but significantly worse than some kid downloading Nelly mp3s off Kazaa and significantly better than the jerks behind CherryOS.
So there you have it, why downloading some dumb pop song off the internet isn't as bad as taking credit for someone elses hard work and making millions of dollars off it and why sony are half way in between on this one.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
sicker is that apparently the companies that we rely on for getting rid of root kits knew about the software since 2004 and did nothing. good going guys.
doesn't it really make you look forward to VISTA - it is going to have this crap all over the os - they are working with media companies so everyone has to use windows to watch TV or DVDs.
none of these companies care about the consumer - they are going to give us what they are going to give us and that's it.
this why I chose open source and always will. no one is going to tell me how to use my computer.