Slashdot Mirror
DVD Jon's Code In Sony Rootkit?
An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."
The Revenge of the Sick (with copy protections)!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
looks like they owe the kid some royalties...
If you don't know what AltaVista is (was), get off my lawn.
That's what I get for actually trying to RTFA, I guess.
.... still have feet after shooting themselves in the foot so often.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
This is GPL'd code, not LGPL'd, right?
Anyway, DVD John can actually sue Sony for all *revenue* that Sony made from the sale of the CDs, if I'm not mistaken (not just profits). That would grab them where it hurts!
"I have never let my schooling interfere with my education." - Mark Twain
I said right off the bat, that the Sony DRM package would be full of other's code. Seems to me that Sony hired some blackhats to get the job done for them. Violating the GPL is definitely the least of their worries, but just another strike against what is becoming an increasingly corrupt music giant.
Read the only personal Runyon page out there.
Sony ought to be in some severely deep shit here. Of course they're a corporation, so they're mostly above the law, but we should still be able to get something to stick.
Real Daleks don't climb stairs - they level the building.
Rember, Sony purchased the rootkit from first4internet. They wrote the software that is abusing the GPL.
Most folks don't review the sourcecode of software they purchase to determine if its license-tree is clean.
Sony definitely made a truly dumb move by utilizing this DRM software (and several other dumb moves subsequently), but lets not let First4Internet off the hook either.
It's not my fault! It was this way when I got here.
Dumping PS3 in favour of 360 because you think Sony's evil is kind of similar to dumping Saruman in favour of Sauron.
Personally, I'm rather taken with that nifty new controller they're putting on the Revolution...
Real Daleks don't climb stairs - they level the building.
This story get's weirder by the minute.
Though it wouldn't happen in a million years, I'd like to think this will bring Sony to it's knees. It won't, but someone can dream.
Not that I had anything against Sony in the first place, but since this crap they threw out there and expected everyone to just "take it", they need to be slapped and slapped often.
They haven't even apologized yet. At least I haven't seen it. Though just saying "sorry" doesn't cut it anymore as thousands of computers are now vulnerable in the world due to their greed.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
From the Sony binary file:
"pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq."
ROT 13 it, and you get
"copyright (c) Apple Computer, Inc. All Rights Reserved."
You couldn't make it up, could you?
"I Know You Are But What Am I?"
I think the EFF should dream up a contest, and the most crazily ironic story involving DRM, copyright, and the law would win a prize.
Oh, too late! Sony already wrote the best story, and it's actually happening before our eyes! Truth is stranger than fiction. And Sony wins many massive lawsuits. Err, I mean they lose them, the prize is they get sued.
Saskboy's blog is good. 9 out of 10 dentists agree.
Sony.....
Microsoft
Man- this is a tough one.
DVD Jon's Code In Sony Rootkit? "The ironing is delicious".
3.(1) A person is guilty of an offence if
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.
I think First4Internet's little toy is designed to prevent or hinder access to programs and data held in a computer, don't you? And I really doubt that their click-through EULA constitutes authorisation to do so; it was fraudulently claimed that the Software was necessary to play the music, which was a plain lie as is shown by every Linux and Apple machine that plays it just fine without the rootkit installed.
I might add that even though these discs are not available in the UK, the Computer Misuse Act still holds.
Anyone know if we could possibly get Inspector Knacker to take a look at these felonious fellows?
Real Daleks don't climb stairs - they level the building.
Not that I could not before, but I can now copy and download all the Sony CDs I want without fearing a lawsuit. They apparently don't care about intellectual property.
God, root, what is difference ?
laughing my ass off. I am sitting at work reading this and busting out in laughter. Granted, I can't explain this idiocy to near anybody at work and it's a totally 'nerd' joke, but you know what... it's DAMN funny!
The price is always right if someone else is paying.
It could just be using extracts to identify the software. I mean, why would they want LAME and DeCSS on their CDs? They have no use. We don't need an MP3 encoder because any compressed copies will be already encoded in a DRM format. They really don't need to decode iTunes songs.
If these are small segments, used for identifying and diabling the software, then the copyright defence could be fair use. And there's no way I'll say that copyright shoudl prevent this.
So I looked through the links and while one of the discoverers made it quite clear that the LAME code is not being used as data (never refereced). However, it was unclear to me if that was true for the DVD Jon code.
I mean the DVD john code seems like exactly the sort of thing one might want to search for on someone's computer to stop pirating. If indeed it is used only to identify the code it may be covered under fair use. It's an interesting legal question that I vaguely remember came up in virus/worm/spyware cases. Namely can a malware writter use some kind of simple code modification method to foul up simple hashes and then insist his copyright prevents anti-virus manufacturers from including large enough parts of the malware code to accurately detect it.
It might not be pleasent but if it's fair for the good guys to use code under fair use for detection then the bad guys get to do it as well.
Which reminds me I don't even remember the legal status of this DVD Jon code in the US. Is it illegal under the DMCA? Does this deny it copyright protection or a different measure.
If you liked this thought maybe you would find my blog nice too:
This is like watching a comedy movie, except I didn't have to pay for a ticket!
(wait, does it mean MPAA will come after me?)
Circumcision is child abuse.
Get it here.
press releases here stating:
...
...
* First4internet loses Sony BGM as customer
* First4internet cancels XCP development
* Due to First4Internet's huge liability claims, First4Internet closes its doors
* First4Internet bought by Microsoft
* Profit ?
...if some clever programmers at First4Internet with an agenda did this on purpose.
:)
It was obviously a golden opportunity to bring the whole DRM BS to a head.
If that's the case, bravo!!
I assume that some grey, suited MBA type didn't put this code in. A geek did. Following on from that, they are almost certainly slashdot readers....
Does anyone have something they would like to tell us?
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
I wonder if it's the same code they used in their digital camera rootkit.
... one must first understand recursion.
Sony uses rootkit to enforce DRM which incorporates code to circumflect DRM and thus can sue itself under the DMCA. C'mon! If this gets any more convoluted or self-referential, either the universe will explode (and be replaced with something even more complicated) or Sony will disappear in a puff of logic.
You buy a cd from sony (or an artist...), not from some spyware compagny. And if f4internet blaimes 1 roque employee, will you accept that as a defense?
No this is far beyond a "vote with your wallet" story. sony BMG broke some laws they though were important for their business model, and now they should bleed for it.
When some cheapskate downloads copyrighted MP3s from a P2P network, it's `copyright infringement', but when Sony uses GPL'd code it's `stealing', right?
Join the NFSNET. Our prime goal is making little numbers out of big ones. http://www.nfsnet.org/
SCO Unix source code found in Sony Rootkit. I wish.
I have been good for most of this year and I am willing to give up any claim I might have on a scalextric or video game if you could only make this /. story be true.
Yours,
Dave Smith
(Aged 34)
Right you lot. I've done my part now it is down to you to ask for enough money to prosecute this imbeciles so that they don't do anything quite so stupid again.
My god, at this rate SCO code will be found next
Stop invalid scientific research. Ask your local scientists to feed their lab rats with a phytoestrogen-free chow.
Does anybody know if Sony pre-installs this rootkit in the computers they sell? I thought their laptops were good products, and normally would be among my choices if I were to get a new one (slight possibility I may want to get a Windows laptop), but this whole rootkit thing changes that. If they so blatantly forced it onto people's computers through music CDs, even trying to on Macs, then I don't imagine they would have any qualms about forcing it onto their computer buyers as well.
I've been chasing down several accounts of government agencies, companies, educational institutions and others banning the use of Sony CDs on their PCs, due to the security risks of having Sony's rootkit DRM infecting their PCs. One government ministry, Alberta Agriculture, has banned the use of music CDs altogether, since Sony is hardly the only music company crippling its CDs with sneaky, malicious software. Here are a couple examples:
Here I thought this would only happen for "secure" workplaces. Sorta makes you feel sorry for SCO, they can't get anyone to even look at the crazy they're selling when Sony's got such a superior line of insane self-destructiveness.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Didya notice... the spin that - possibly - Sony has managed to put on the story
CNN Europe and other mainstream media providers carried it like this:
The trouble with the Sony software is that it makes your computer VULNERABLE TO VIRUSES.
The mainstream spin is that the Sony software just opens the door to the bad guys. The word "rootkit" is not offered.
It makes out as though Sony blundered and issued some insecure software, and how big a deal is that?
This story deserves to grow and become a defining moment, but there's a long way from the tech community to the mainstream media.
Now is the winter of our disco tent
http://cp.sonybmg.com/xcp/english/form11.html
Look, it's very simple: people are kicking up a fuss about this because it is hypocritical for Sony to maintain its anti-copyright-infringement stance, and attempt to take the moral high ground in this regard, if Sony itself is infringing copyright left, right and centre.
If a politically powerful, fanatical anti-drug campaigner who constantly lobbied for pot-smokers to be thrown in jail for years and fined huge sums of money were caught smoking pot, I would not be surprised to see large numbers of people demanding that he be thrown in jail and fined millions, in keeping with the laws that he himself helped establish, even if they were pro-legalisation activists who firmly believe that the laws are unjust.
It is a challenge to the legal system to treat everyone equally under the law, and thus either apply an unfair, draconian law to everyone, including powerful parties who have previously used the law against their enemies, or to concede that the law is unfair and change it.
He knows
IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code).
You know, I think that this does make sense. However, this is a very dangerous line of reasoning. If you let Sony get off with no consequences for distributing stolen code, then you will never be able to prosecute any big corporatio for code copyright violations.
All a mega-corp need do is find a small, arms-length firm to launder the stolen code. Let that small firm actually steal it and then hand it on a silver platter to the mega-corp. If the mega-corp is caught, the small firm takes the hit and disappears in a puff of bankrupcy. Then mega-corp goes on to the next small firm.
If Sony truly didn't know about this, then they probably should not be liable for any statutory damages. However, they did distribute the code--which is technically a violation. Sony should be the one accountable for that violation and Sony should be able to sue First4Internet--unless of course First4Internet's license with Sony includes the standard indemnification clause like we see in most EULA's. In that case, Sony will be hoisted by their own petard--and it couldn't happen to a nicer group of people.
"Who is more evil now? Sony or Microsoft?"
Microsoft installed more rootkits: Windows XP.
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
You might care about PS3's DRM. Apperently Sony is trying to figure out a way to prevent used games from being played on it. And they are apparently working on preventing you from playing your games on any other system than your own (so you can't take your game to a friends place and play there). SCEA is just as scummy, greedy and paranoid as Sony Music is.
Sony stated that they did not intend to use the patent they filed on this for the PS3.
You didn't really address my point at all. You said that punishing SCEA does not make sense, because Sony Music is a different division. I beg to differ, they are both part of the same corporation.
:-)
Ok, I have friends who work at SCEA. You want to punish them? The idea to use f4i DRM wasn't theirs [fuck they don't even work for Sony Music].
So by your logic we should punish everyone by association. I can think of another group that did that. They were called Nazis
[sorry Godwin...]
Point is if you think this is bad don't buy Sony Music. If you think PS3 DRM is bad don't buy Sony gaming products. But don't just punish one group because another did something else.
And really, you should actually talk with sony folk. They may be under the same parent company but when you get down to the day-to-day work SCEA and Sony Music are different groups with different products and different goals.
As for the moral superiority of MSFT that the original post was suggesting [e.g. do I get 360 or ps3] this alone shouldn't be a deciding factor.
Pick whichever has the better games [for your taste] and fits in the budget.
Tom
Someday, I'll have a real sig.
I'd say that at least a third of the population condones non-commercial copyright infringement... The point is, when an act is accepted by a significant proportion of the population, chances are that act is ethical
So obviously Sony (or the company that wrote the code if you want to get pedantic) is right to have infringed upon DVD Jon's code.
How is this copyright infringement non-commercial? It was done for profit by an organization whose stated goal is to make money.
So it all comes down to slashdot isn't the place to go to if you want to hear intelligent debate about copyright laws.
True enough, but only because there are so many people like you don't seem able to comprehend the arguments put forth. A significant number of people infringe copyright non-commercially and that indicates that the will of the people might be that it should be legal. A significant number of people do not commercially infringe copyrights or condone it. I'd agree with that argument, as would many people. But to claim it is hypocritical is ridiculous. It is called a false dichotomy. There is no hypocrisy in believing that non commercial copyright infringement should be legal, but commercial should be illegal. There is no hypocrisy in believing our copyright system is corrupt and counter productive, but still believing a copyright system that is better designed can be useful. There is no hypocrisy in believing business and software patents are garbage, but traditional patents are a good idea. There is no hypocrisy in believing Toyota makes reliable cars but Ford does not. Please take the time to actually read and understand an argument someone puts forth before declaring them a hypocrite and ascribing a whole lot of motives to them, even though you obviously have no way of knowing them.
Did you know copyright infringement is a crime?
4 _e.htm
s c_sec_18_00002318----000-.html
Well, it is.
Or at least, it should be in all countries that singed the TRIPs agreement. It says so in article 61:
http://www.wto.org/english/tratop_e/trips_e/t_agm
--
SECTION 5: CRIMINAL PROCEDURES
Article 61
Members shall provide for criminal procedures and penalties to be applied at least in cases of wilful trademark counterfeiting or copyright piracy on a commercial scale. Remedies available shall include imprisonment and/or monetary fines sufficient to provide a deterrent, consistently with the level of penalties applied for crimes of a corresponding gravity. In appropriate cases, remedies available shall also include the seizure, forfeiture and destruction of the infringing goods and of any materials and implements the predominant use of which has been in the commission of the offence. Members may provide for criminal procedures and penalties to be applied in other cases of infringement of
intellectual property rights, in particular where they are committed wilfully and on a commercial scale.
--
So, commercial copyright infringement, as is obviously the case here, is to be regarded a criminal offence in all countries that signed the TRIPs agreement. And if it is a criminal offence, the government is responsible to take the offender to court and throw him in jail should he be found quilty!
All you gotta do is go to the police and hand over all evidence you can find regarding this alleged crime. Then the police should start investigating in order to bring these criminals to justice!
This is great! This is the key to enforcing the GPL globally without having to be the author or copyright owner of the code of which the copyright has been violated. That's the beauty of criminal offences. These are prosecuted by the government on behalf of the public.
Let's take a look at what I could find on this in the US law, since these disks have been sold in the US, haven't they?
What I found out is that -- for me -- over the ocean, they have the "Anticounterfeiting Act of 2004":
http://www.publicknowledge.org/issues/hr2391
"Provides penalties and jail sentences for trafficking in "counterfeit labels, illicit labels or counterfeit documentation or packaging" of records, software, movies, etc. The original bill also provided penalties for filing false information with Internet registrars, but that portion wasn't picked up in the omnibus. Passed the House Sept. 21, 2004."
As far as I can see, this is the law text that applies and apparantly is in act:
http://www.law.cornell.edu/uscode/html/uscode18/u
--
TITLE 18 > PART I > CHAPTER 113 > 2318 Trafficking in counterfeit labels for phonorecords, copies of computer programs or computer program documentation or packaging, and copies of motion pictures or other audio visual works, and trafficking in counterfeit computer program documentation or packaging
Release date: 2005-08-03
(a) Whoever, in any of the circumstances described in subsection (c) of this section, knowingly traffics in a counterfeit label affixed or designed to be affixed to a phonorecord, or a copy of a computer program or documentation or packaging for a computer program, or a copy of a motion picture or other audiovisual work, and whoever, in any of the circumstances described in subsection (c) of this section, knowingly traffics in counterfeit documentation or packaging for a computer program, shall be fined under this title or imprisoned for not more than five years, or both."
--
"or a copy of a computer program"
Looks like those criminals copying GPLed software can be sent to jail!
According to this they're already looking into it
-- "At Microsoft, quality is job 1.1" -- PC Magazine, Nov. 1994
There are many types of copyright violations with very different types of severity:
The first type is when someone goes out and downloads a song, lets say "...And Justice for All" by Metalica they have simply avoided paying for it by getting it through illegal means. This does not equate to any directly measurable loss of revenue because when the effective price of something is lowered, people are more likely to get it. Thus it is not only likely that someone would not have bought the CD if the pirate mp3s were not available, but it is actually more likely than not. This is of cause not a wholly moral practice, but it is cirtainly not as bad as many other evils that exist in society today. These are the infractions that occur on Kazaa and the ilk.
The second type of infraction is where one duplicates the media on which intellectual property is contained and sells it themselves at an actual monitary price. This is very different since there is a very obvious minimum bounds of loss of revinue caused by this which is of cause the markup on the pirated media. Motivation also changes in this type since there is a very clear misdirection in the chain of money where the pirate gets a clear financial benifit wheras they recieve none in the first set. This type of violation is criminal in most juristictions whereas the first type is wholly civil.
The third and most severe case is where intellectual property is rebranded and its credit is misappropriated to another party. This historically has been a result of industrial espionage but today, open source software is very vulnarable to it. This is equivalant to the Kazaa casual pirate claiming that they wrote "...And Justice for All". It means that not only does the pirate get the profit for the sale of the intellectual property instead of the legal creator, but those who are convinced to use this thing in future by seeing the rebranded thing will never go to the real author to get a copy for themselves. In either of the previous two types there is a likelyhood that the author will eventually get money or whatever they are looking for (usually an ego boost in the case of OSS) but in the third type this is not the cause. This is a far more thorough missapropriation of this IP and thus the term "stealing" is far more appropriate.
The reason that these three types are so neatly ranked is that as you can see, each one is a subset of the type before. Not everyone gets annoyed by violations every layer since OSS doesn't mind first or second type occuring but hates the third kind. SUN doesn't mind the first type occuring but hates the second and third with Java. Public domain doesn't mind any of the three. But no one will let one layer slide that is above something that annoys them.
This case with sony is clearly not a third type violation (which I would call stealing) but is a second type (which I would call piracy) since Sony did not claim to write this software or even advertise its existence. The GPL says you can do second type scenarios on the condition that you distribute the source code. Sony redistributed this IP for money but did not distribute the source code AFAIK so they voilated the rules on this level. This puts them on par with sleezy bootleg vendors on street courners and ebay pirate CD vendors but significantly worse than some kid downloading Nelly mp3s off Kazaa and significantly better than the jerks behind CherryOS.
So there you have it, why downloading some dumb pop song off the internet isn't as bad as taking credit for someone elses hard work and making millions of dollars off it and why sony are half way in between on this one.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
Robertson might be interested in bankrolling Jon in any litigation against Sony.
Don't you think they're celebrating now that using audio CD's in PC's is a security risk? I'm suprised they haven't done this sooner. Pretty soon, we'll be asking for Trusted Computing because because it will protect us from oursel^h^h^h^h^h^h the security risks inherent in unsafe CD playing....
What will you bet that stiffer penalties only apply to you and me. Corp-Rat entities will never see the stiff end of the stick.
sicker is that apparently the companies that we rely on for getting rid of root kits knew about the software since 2004 and did nothing. good going guys.
doesn't it really make you look forward to VISTA - it is going to have this crap all over the os - they are working with media companies so everyone has to use windows to watch TV or DVDs.
none of these companies care about the consumer - they are going to give us what they are going to give us and that's it.
this why I chose open source and always will. no one is going to tell me how to use my computer.
Is the correct term.
Sure, you could redefine theft to include the lack of transfer of funds as may be required by the combination of law and license, or other definitions, but please don't.
The word theft is more useful when it refers to the act of reducing an owner's posession in order to increase someone else's.
When copying, you are merely increasing the posession of one, and not decreasing the posession of another.
Sure, you're violating what he demanded of you.
Sure, you're violating the law.
Sure, you're doing something many consider wrong.
But you're not stealing. Stop changing English in non-useful ways!
Because it may be ripping off copyrighted source.
And it is getting easier every day to mine compiled closed source for suspicious blocks of binary.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Even if the string was copyrightable, your use is purely functional, and thus not subject to copyright laws in this case.
See Sega Vs Accolade
It's not theft. It's copyright infringement, and Sony and others sue hundreds of people every month for many thousands of dollars over it.
Are you saying DVD Jon doesn't have the same rights as Sony?
Kythe
M$ was more public about what their rootkit does. They tell you it phones home etc.
Sony installs theirs without telling you and then if you try to uninstall it, it roots you even worse