DVD Jon's Code In Sony Rootkit?

An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."

A share of profits?

[RobinH]

This is GPL'd code, not LGPL'd, right?

Anyway, DVD John can actually sue Sony for all *revenue* that Sony made from the sale of the CDs, if I'm not mistaken (not just profits). That would grab them where it hurts!

Re:A share of profits?

[Alchemar]

If it is GPL code then wouldn't it make the EULA unenforcable under the cannot add other restrictions clause?

Who guessed it?

[OxygenPenguin]

I said right off the bat, that the Sony DRM package would be full of other's code. Seems to me that Sony hired some blackhats to get the job done for them. Violating the GPL is definitely the least of their worries, but just another strike against what is becoming an increasingly corrupt music giant.

Isn't that doubly illegal?

[meringuoid]

They've simultaneously violated DVD Jon's copyright on his code, and (in distributing it in the USA) violated the DMCA to boot!

Sony ought to be in some severely deep shit here. Of course they're a corporation, so they're mostly above the law, but we should still be able to get something to stick.

Re:Isn't that doubly illegal?

[Albanach]

Actually if the software came from first4internet and first4internet are based in the UK then this could be interesting.

Under UK law copyright infringement is a criminal offence - in other words, report it to the police and they are obliged to investigate.

So if the copyright holder were to let the police know of their concerns and supply some evidence, the company that authored the software could have an interesting visit.

Stranger and stranger

[sgant]

This story get's weirder by the minute.

Though it wouldn't happen in a million years, I'd like to think this will bring Sony to it's knees. It won't, but someone can dream.

Not that I had anything against Sony in the first place, but since this crap they threw out there and expected everyone to just "take it", they need to be slapped and slapped often.

They haven't even apologized yet. At least I haven't seen it. Though just saying "sorry" doesn't cut it anymore as thousands of computers are now vulnerable in the world due to their greed.

Re:Stranger and stranger

[Generic+Guy]

ie, immediate action was action.

Except after the initial exposure of this rootkit in their products, Sony bigwigs were on NPR radio broadcast saying essentially (paraphrased) "What they don't know won't hurt them". I'd certainly content that constitutes delayed action, and possibly collusion. Plus the factoids coming out that this rootkit may have possibly been distributed by Sony for over a year now.

Regardless of who wrote it, Sony is still the one who deliberately distributed millions of CDs containing this malware. They should have done due diligence on their own product before shipping. They've supposedly stopped making CDs with XPC, but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again. Instead, they've done practically nothing (except some basic CYA by halting further production) and practically promised that they'll be trying this again in some form in the future. Hardly sounds like an 'innocent' party.

Sony certainly deserves to get their collective ass handed to them. Its just a shame it will have to happen through lawsuits and consumer boycotts, as you'd think they would learn not to abuse their own paying customers. I guess not.

P.S. Screw you Sony, your products, warranties, and service have been crap for years, but now I will actively avoid anything to do with you.

Re:Stranger and stranger

[AgentGibbled]

"but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again."

Actually, it appears that they *do* plan to offer replacement discs. I tried to post this to the main page (a fairly significant development, IMHO), but alas it was rejected. In other news, Mark Russinovich is declaring victory as a result.

I'm not saying that makes everything okay... I'm just saying that they're not being *total* jerks about this (just *partial* jerks). I expect we'll see more of a response out of Sony once that large bureaucratic ball eventually does get rolling. In an organization the size of Sony, I'd bet it has quite a lot of intertia.

And no, I won't be buying any more Sony CDs... or probably anything else - just on principle.

Re:Sony isn't the only one to lambaste here

[l2718]

Not quite true -- Sony is "distributing" the software as defined by the GPL. Moreover, the work was preformed by First4Internet as agents of Sony. These both seem to indicate they are liable. On the DMCA side, they are "trafficking" in an anti-circumvention device (assuming the software does actually activate the codepath in question).

First4Internet could be in BIG trouble.

[meringuoid]

The Computer Misuse Act, 1990

3.(1) A person is guilty of an offence if
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.

I think First4Internet's little toy is designed to prevent or hinder access to programs and data held in a computer, don't you? And I really doubt that their click-through EULA constitutes authorisation to do so; it was fraudulently claimed that the Software was necessary to play the music, which was a plain lie as is shown by every Linux and Apple machine that plays it just fine without the rootkit installed.

I might add that even though these discs are not available in the UK, the Computer Misuse Act still holds.

Anyone know if we could possibly get Inspector Knacker to take a look at these felonious fellows?

Re:First4Internet could be in BIG trouble.

[Maestro4k]

I question the methodology. As far as I can tell, he's reporting which DNS servers have resolved queries for First4Internet. And he's doing it after the scandal has been all over the online news sites, all over the blogosphere and links to First4Internet's sites posted in a couple of dozen +5 comments on /.

I'd be surprised if there was a DNS server left on earth that hadn't recently handled a query for First4Internet by now.

I think the methodology is sounder than you think, the info on his page seems to indicate he didn't go by resolutions for just any F4I addresses but for addresses the rootkit used, particularly he mentions updates.xcp-aurora.com, something curious/outraged people aren't likely to try resolving for the hell of it.

In any case it's worth investigating, notice that not all of Europe is covered in red, although I'm sure the scandal has been reported there as well. There's a good possibility here that Sony has sold the CDs in the UK, and frankly it should be investigated because Sony deserves to be nailed with every law they violated for this little stunt.

Besides, has Sony ever released a list of all affected CDs yet?

Is the DVD Jon code executed?

[logicnazi]

So I looked through the links and while one of the discoverers made it quite clear that the LAME code is not being used as data (never refereced). However, it was unclear to me if that was true for the DVD Jon code.

I mean the DVD john code seems like exactly the sort of thing one might want to search for on someone's computer to stop pirating. If indeed it is used only to identify the code it may be covered under fair use. It's an interesting legal question that I vaguely remember came up in virus/worm/spyware cases. Namely can a malware writter use some kind of simple code modification method to foul up simple hashes and then insist his copyright prevents anti-virus manufacturers from including large enough parts of the malware code to accurately detect it.

It might not be pleasent but if it's fair for the good guys to use code under fair use for detection then the bad guys get to do it as well.

Which reminds me I don't even remember the legal status of this DVD Jon code in the US. Is it illegal under the DMCA? Does this deny it copyright protection or a different measure.

Sony VAIOs

[Anonymous+Writer]

Does anybody know if Sony pre-installs this rootkit in the computers they sell? I thought their laptops were good products, and normally would be among my choices if I were to get a new one (slight possibility I may want to get a Windows laptop), but this whole rootkit thing changes that. If they so blatantly forced it onto people's computers through music CDs, even trying to on Macs, then I don't imagine they would have any qualms about forcing it onto their computer buyers as well.

Re:pissing contest.

[KinkoBlast]

Does that meen Best Buy and Wal*Mart (and local music stores, not that I even know where those are) are (L)GPL violators too? They distributed the CDs...

Re:Wow. Just WOW.

[iainl]

I thought that was roughly the case, thanks for confirming it. Sorry about saying it was just Jon's and forgetting about the rest of the team, too.

So, quite apart from the fact they've stolen your code, the question now is:

Why does Sony's DRM include code to break Apple's DRM? Are they just scanning for evidence that your code is running, staticly built the library because they were stealing some other aspect of your program, or do they actually want to decrypt Apple files?

This story just gets stranger.

Re:Very Dangerous Reasoning

[vinniedkator]

IANAL, but: I've often had to have vendors go through a code review when implementing custom applications in our network. You would think that Sony would require the same thing when putting software like this on millions of CDs. If they did have a policy they should be liable. If they didn't then they are morons for accepting software at face value that goes on their most important product.