Sony Rootkit Allegedly Contains LGPL Software

Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.

Takedown noticy against Sony

[by Anonymous Coward]

Someone should send a takedown notice to the Sony corporation.

It serves them right!

[AndroidCat (229562)]

If they'd gone Open Source from the start with their rootkit, the community could have contributed bug fixes and improvements. Even their competitors could have gotten involved, resulting in a truely powerful bug-free rootkit for use by everyone.

Glee

[johnos (109351)]

Its beautiful. I've always thought that the corporate war on their customers over intellectual property would turn when someone went too far. All of a sudden the main stream media would wake up and finally get it. Well, now its happened. The media is all over the story and Sony, bless their hollow little heads, just keep digging. I'm sure I'm not the only one who was shocked but not suprised at the news Sony or Level 4 have broken the LGPL. They are staggering around like a pummled prizefighter, bleeding on everything. There's going to be more blood before this is over. Besides the $billion or so it will cost Sony to clean up the mess, others will have some 'splainin to do. Like the anti-virus companies, like Microsoft, like the other music companies.

Re:Glee

[Omnifarious (11933)]

I haven't bought a CD in years. It's put a big damper on my listening to new music, but it's just not worth it to support that industry. I've heard that Ani DiFranco's label is completely independent though, so I might go buy her stuff.

Re:Glee

[Lisandro (799651)]

It is. It's called Righteous Babe records [righteousbabe.com].

Sneaky Sony

[Ritz_Just_Ritz (883997)]

I knew something was up when I saw that Aibo perched at my keyboard when I woke up this morning.

Next thing you know, they'll be after our precious bodily fluids.

More info

[muzzy (164903)]

The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.

Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/ [hack.fi]
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.

What's next?

[Pig Hogger (10379)]

The more it goes, the worse it seems. What's next?

- Sony rootkit eats kittens?
- Sony rootkit throws momma from the train?
- Sony rootkit spawns Darth Vader?
- Sony rootkit deflates tires of soccer moms?
- Sony rootkit steals cookies from girl scouts?
- Sony rootkit cheats at final exams?
- Sony rootkit pours hot grits down Natalie Portman's pants?

Re:What's next?

[10101001 10101001 (732688)]

- Sony rootkit infringes cookies from girl scouts?

There, fixed that for you.

It even has some GPL compnonets

[leuk_he (194174)]

looking at the licence of lame: [sourceforge.net]

*** IMPORTANT NOTE ***

The decoding functions provided in LAME use the mpglib decoding engine which
is under the GPL. They may not be used by any program not released under the
GPL unless you obtain such permission from the MPG123 project (www.mpg123.de).

So it is not only LPGL, but also the more strict GPL. This is of coarse all meaningless if nobody from the mpg123 project steps out and tells sony to go with the license.

outdated info, it's LGPL nowadays

[muzzy (164903)]

That's outdated. mpglib was relicensed under LGPL some years ago already, check www.mpg123.de

tell the developers about the money

[r00t (33219)]

Thanks in part to lobbying efforts by Sony, each CD-ROM carries a penalty of around $75000.

Suppose the case settles for 10% and the lawyers take 90%. That leaves $750 per CD-ROM for the mpg123 developers. Now think about how many CD-ROMs have been produced.

Oh, what I'd give to have Sony infringe my open source project! The mpg123 developers are some lucky bastards for sure. I need to learn how to write Windows multimedia software instead of just Linux system software.

Let EFF know what you think

[chihowa (366380)]

This seems like a pretty good GPL test case. The irony of copyright infringement being used to develop a copyright protecting program would likely go over will with the court!

Plus patents...

[Bazman (4849)]

"So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license..."

... from a project that may be[1] in violation of patent law! Woohoo!

Baz

[1] in some lawyers opinion.... see http://en.wikipedia.org/wiki/LAME [wikipedia.org] for info.

Sony needs to protect its image...

[digitaldc (879047)]

...not its CDs. They have done more to damage their image and profits with this story than they would have saved by installing its spyware.
I also feel sorry for the poor chap who buys Ricky Martin, Neil Diamond or Celine Dion CDs, I really do.
Sony should have some kind of disclaimer about installing its bad software, maybe a 'Spyware Advisory' sticker? It is only fair.

Re:Sony needs to protect its image...

[ettlz (639203)]

I also feel sorry for the poor chap who buys Ricky Martin, Neil Diamond or Celine Dion CDs, I really do.

Yes, but what about the DRM issue on these CDs?

Sabotage from within?

[jeffs72 (711141)]

I could see the developer who had this project fall in his lap say "this is fucking stupid, lets teach them a lesson on integrating spyware with their cds" and violating this license (which will give them a black eye) and then write it in such a way that people can easily use it as a virus/trojan vector.

The more I think about it, it really smells of dissention from within.

Either that or it looks to me like this is a mix of business people not understanding their market, customers, or technology and sloppy code work. I mean, what asshat would grab some open source code and not adhere to the license? It is either a tremendous faux pas on Sony's part, or there was some intentional act here to make this as reprehensible as possible.

Sort of like watching the music industry test the waters on this sort of thing and finding them extremely chilly.

Ironic?

[Rakishi (759894)]

First of all it seems that there is more than just LAME in there: http://hack.fi/~muzzy/sony-drm/ [hack.fi]

Second of all, am I the only one who finds it ironic that a DRM program designed to protect someone's copyrighted information is itself infringing on someone's copyright? I guess if Sony wants to fight those evil copyright violators they should start by putting themselves in jail.

In Case Anybody's Losing Track

[trentrez (918830)]

FYI. BoingBoing have compiled a comprehensive timeline of events surrounding this: http://www.boingboing.net/2005/11/14/sony_anticust omer_te.html [boingboing.net]

What does the rootkit do when it detects LAME?

[dmoen (88623)]

1. It seems that Sony has not actually included any executable code from LAME, only some data, which is likely used as a signature, to determine if you have LAME installed and are using it to rip MP3s. This is likely fair use, not wholesale copyright violation, as far as LAME and the LGPL are concerned.

So the interesting question is: what does the rootkit do when it detects LAME on your hard drive? Does it disable or corrupt LAME? Does it phone home? Does it automatically initiate an RIAA lawsuit?

*This* is what I think the next Sony class-action lawsuit should be about. I doubt there is enough grounds to get them on an LGPL copyright infringement suit.

2. Muzzy points out that the Sony uninstaller installs a "safe for scripting" Active-X control with remotely exploitable entry points for rebooting your machine and possibly for installing arbitrary code on your machine. More fuel for the tasty class action suits that are starting up.

3. Sony has done so many evil things with the rootkit fiasco (and we haven't discovered them all yet); the outrage is spreading, and it may lead to a major backlash against the whole industry practice of distributing corrupted CDs in the name of DRM. Here's hoping for a brighter tomorrow.

Doug Moen.

Not Sony

[MaestroSartori (146297)]

Disclaimer: I'm a Sony employee, and I strongly disapprove of the rootkit DRM stuff in a completely unofficial not-representative-of-the-company way ;)

But it's worth mentioning at this point that Sony didn't develop the software in question here - the XCP [xcp-aurora.com] software was developed by First4Internet [first4internet.com].

Not being a lawyer, or particularly knowledgable about (L)GPL terms, who could be held liable when a piece of software is developed by one party, but distributed by another? Is ignorance a defence, for instance if Sony said "We didn't know it had unlicensed code!", how would that affect things?

Re:Not Sony

[jrcamp (150032)]

"But I didn't know my Internet connection was being used by my son to download Sony BMG artists' songs!"

"I'm sorry sir but you're the owner. You owe $500,000 in damages."

They don't allow the "but I didn't know" explanation. Why should they be allowed to use it? I say try to nail them. They've done far worse to others.

It's getting pulled anyhow

[confusion (14388)]

Not that it lessens their tresspass, but Sony is apparently pulling the "infected" CDs:
http://www.usatoday.com/tech/news/computersecurity /2005-11-14-sony-cds_x.htm [usatoday.com]

Jerry
http://www.cyvin.org/ [cyvin.org]

Re:It's getting pulled anyhow

[Slashcrap (869349)]

Not that it lessens their tresspass, but Sony is apparently pulling the "infected" CDs:
http://www.usatoday.com/tech/news/computersecurity [usatoday.com] /2005-11-14-sony-cds_x.htm [usatoday.com]

Are they also pulling all of the infected PCs in for free repairs?

No? Then let's not help these wankers by helping to spread their desperate PR pieces.

How many of you have PS3's on preorder now?

[C. Mattix (32747)]

So is the Slashdot crowd going to complain and moan about Sony being a servant of the devil, and then happily go to Best Buy and get ther shiny new PS3?

Re:Uuuuuh

[YA_Python_dev (885173)]

Doesn't the LGPL permit this?

No. You can link LGPLed software with proprietary software, but you must still distribute the sources of at least the free software (free as in RMS).

"operating system on which the executable runs"

[tepples (727027)]

<sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>

The GNU General Public License [gnu.org] and the GNU Lesser General Public License [gnu.org] have an operating system exemption. The exact wording of the exemption in both licenses is as follows:

However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.

Re:"operating system on which the executable runs"

[maxwell demon (590494)]

Moreover, the gcc runtime libraries (the only part of gcc which ends up in gcc compiled code, and therefore could affect the licensing) all have special exceptions to the GPL, so that they don't cause the programs they are linked to to be covered by the GPL.

Re:Uuuuuh

[wlan0 (871397)]

According to the EFF.

This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Notification?

[Grendel Drago (41496)]

This is all so ridiculous. It's not like Sony even asks the user if they want this crap installed. Where would they even put the copyright notice? Of all the underhanded nonsense...

Re:Notification?

[Professor_UNIX (867045)]

This is all so ridiculous. It's not like Sony even asks the user if they want this crap installed. Where would they even put the copyright notice? Of all the underhanded nonsense...

This is the problem with the viral nature of the GPL and even the LGPL licenses and is why you should really consider using BSD licensed software in your DRM rootkits in the future. Screw the FSF!

Nope.

[Dr. Manhattan (29720)]

If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL. If you dynamically link to the LGPL code (e.g. shared library, DLL) then you don't have to open up the code that links to it (this is the primary difference between the GPL and the LGPL) but if you distribute the LGPL library with your binaries, you must offer the code for the LGPL portion, too.

That being said, from what I've read it appears that the Sony DRM code may be looking for LAME on the system (to block it from working on their 'protected' stuff) but doesn't appear to actually contain LAME code.

Almost.

[by Anonymous Coward]

If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL.

Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all .o files (also the closed ones). AFAIK, Loki did this for statically linked, closed-source, SDL-based games.

no excuse

[r00t (33219)]

Sony may claim to be looking for LAME. If so, they are using copyrighted samples to do it.

Since Sony already argues against fair use of samples, one need only supply the court
with Sony's own arguments against fair use.

Re:Uuuuuh

[DataPath (1111)]

Small clarification - you're not freed from the requirement to make the code for the lgpl portion available. You don't have to make the source code for the program that links against the LGPL code available.

No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.

Re:Uuuuuh

[ppz003 (797487)]

$sys$README ?

WRONG

[samjam (256347)]

"to a website" WRONG WRONG WRONG.

If Sony don't provide the source they must make THE source available to all third parties for at least 3 years.
This is an obligation they must fulfil.

http://www.gnu.org/licenses/gpl-faq.html#Distribut eWithSourceOnInternet [gnu.org]
http://www.gnu.org/licenses/gpl-faq.html#TOCSource AndBinaryOnDifferentSites [gnu.org]
Merely pointing to "a website" or "the website we got it from" is not enough.
You have to make-sure-it-stays-there. And thats not enough.
You also have to let people request it by mail charging only a minimal fee.

You have to track your releases and make sure you keep the source of each release seperately so you can give people the source to the version they had.

Too many people consider only casually the obligation that the GPL puts on them. GPL is not an easy way out.

It's easy to receive GPL software because the burden is on the distributor, but you must understand and fulfil the burden when you are the distributor.
With most commercial software you pay some money before you receive it but you still have to follow the license guidelines.

Is it too often for me to say again that too many people distibute binary packages to open source software and distribute the source they compile to make the binary package but do not distribute the source to making the binary package; i.e. the .spec file, or the dev-src equivalant.

Sam

Re:Well, hang on a minute

[Vo0k (760020)]

You have to redistribute source of these libraries and enough hooks/API so anyone could replace them with whatever they like in your program. So either link dynamically (and include just the lib sources) or if you link statically, include source of the libraries and .o objects of your binary so they can be re-linked.

Re:Thank god!

[Halo1 (136547)]

They're not stealing code, they're infringing on the author's copyrights by not respecting the license under which the code is be distributed (in exactly the same way people who "share" Sony/BMG music via p2p etc infringe on Sony/BMG's and the the artists' copyrights).

Re:Thank god!

[Sepper (524857)]

(in exactly the same way people who "share" Sony/BMG music via p2p etc infringe on Sony/BMG's and the the artists' copyrights).

Not sure about the English language, but in my own we have a saying for this: "Do what I say, not what I do"

Re:Thank god!

[IAmTheDave (746256)]

Not sure about the English language, but in my own we have a saying for this: "Do what I say, not what I do"

Yup, that's right. The thing that kills me is that certain members of our government are busy drafting legislation that would make criminal penalties against copyright infringement harsher [slashdot.org], including jail time. No doubt Sony is a sponsor of this bill - or at least the RIAA/MPAA, of which Sony is a member. Yet do you think that Sony would ever be concerned about holding themselves to the same standard? Would they, as a sponsor of this proposed legislation, support the CEO, CIO, chief architect, programmer, or otherwise spending some time in jail for an LGPL or GPL copyright violation?

The double standard kills me, and in cases like this where Sony's actions are quite simply audacious, I almost start to feel physical anger. I'm tired of being treated like a criminal, and it's really about time that a company like Sony be held responsible for the huge amount of personal and other violations that they have trampled on with this one single action of releasing this software.

GPL gives rights beyond copyright law

[chihowa (366380)]

Of course you're a troll, but I'll bite anyway.

The thing that people don't seem to realize is that if the GPL doesn't hold any water (and it may not), then the whole thing just collapses back to plain old copyright law. In that case, they can't copy and sell the code at all without permission from the writer.

If I write a book and release it on the internet for everybody to download for free, you still can't copy and sell it without my permission. The fact that the code is offered for free doesn't mean that the writer has given up his rights to the work. In fact it is the GPL that gives people the right to copy and sell the work, if they follow the rules outlined in it. Breaking the GPL means you don't have permission to copy and sell the works at all. It is the GPL itself that makes it legal for people to copy and sell GPLed work. Without the GPL it's just plain ol' copyright infringement.

Re:Code vs metadata

[muzzy (164903)]

Wrong, it isn't used for identifying anything. The GO.EXE only contains the strings and data but it isn't used there. I wasn't able to find any code in the executable that uses the data (for any purposes), and I looked pretty hard. It's been statically linked but unused. HOWEVER, there are more binaries on the CD compressed in XCP.DAT, which get installed to the system along with the DRM crap. At least one of these binaries contain LAME code for certain. The GO.EXE might not be enough for a case, but that's just the tip of the iceberg. There's real infringement in at least one other executable.

Re:Code vs metadata

[courtarro (786894)]

At least one of these binaries contain LAME code for certain.

Are you arguing that the included code is being used in a way that violates Fair Use, or that simply including the code for comparison (as the grandparent argues) is not fair use? I can't imagine why Sony would need to "use" several MP3 encoders (this comment [slashdot.org] links to a list of them) to actually encode music. Thus, I would assume that Sony is including bits of code from these programs in order to prevent them from running. Is that a violation of the LGPL?

Re:Code vs metadata

[arkanes (521690)]

It is a techncial copyright violation (and there is no fair use right that covers it) to distribute LAME code in object format, no matter how it is used, or even if it is not used at all. Just like it would be copyright infringment for me to ship my app with a tarball of the Windows source code in it.

To my knowledge, there is no fair use right that covers distribution in any form except for first sale, which doesn't apply here and only arguably applies to digital distribution at all.

... or maybe yes

[muzzy (164903)]

That only concerns GO.EXE, and while the analysis is correct for that executable, I checked for LAME references against every binary in the compressed XCP.DAT file after I managed to unpack it (thanks to freedom-to-tinker.com guys for providing description of the format). Turns out, there's more binaries including references to LAME, and this time there's actually code that uses the data as well. And not just LAME, there's also Id3lib included in one dll, and bladeenc and mpglib distributed along with the DRM. All of this is LGPL, it's code, and it's being used.

LAME is in there, just not in GO.EXE

[muzzy (164903)]

Regarding GO.EXE, it's a cockup. I've posted a few other posts here explaining the real situation. LAME along with some other LGPL code is being used in other binaries on the DRM, I couldn't initially find them since they're compressed in XCP.DAT on the cd but they get installed on the system.

Re:So... How about them statutory damages...

[Yartrebo (690383)]

IANAL, but judging from the RIAA's press releases when they sue grannies and kids, it's per copy and per work. So let's do the math. 20CD * 1 million copies each * $150,000/copy = $3 trillion dollars. That's if there's only 1 work on each copy. If they also infringed on several other projects, then you would have to multiply the damages accordingly.

Re:LGPL

[DVega (211997)]

LGPL requires access to the source code. The only difference with GPL is that LGPL allows linking with non-free (non-?GPL) components.

Re:I don't get it

[Walkiry (698192)]

>Anyone have any ideas?

Well, according to some people who have had to exorcise the demon from their windows PC, what happened after installing the rootkit is that MP3 files ripped from other CDs came back worse to wear, with noise, loss of quality and whatnot.

If that is true, you can probably connect the dots easily and see what Sony was after :-)