DVD Jon's Code In Sony Rootkit?

An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."

DVD Jon strikes back!

[VincenzoRomano (881055)]

The Revenge of the Sick (with copy protections)!

hmm

[Tibor the Hun (143056)]

looks like they owe the kid some royalties...

Stranger and stranger

[sgant (178166)]

This story get's weirder by the minute.

Though it wouldn't happen in a million years, I'd like to think this will bring Sony to it's knees. It won't, but someone can dream.

Not that I had anything against Sony in the first place, but since this crap they threw out there and expected everyone to just "take it", they need to be slapped and slapped often.

They haven't even apologized yet. At least I haven't seen it. Though just saying "sorry" doesn't cut it anymore as thousands of computers are now vulnerable in the world due to their greed.

Re:Stranger and stranger

[BushCheney08 (917605)]

Bear in mind that Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet [xcp-aurora.com]. While we all should (rightfully) be pissed at Sony for including this on a bunch of their CDs, we should be equally as pissed (or moreso) at First 4 Internet for their (L)GPL violations and for making this product in the first place.

Re:Stranger and stranger

[A beautiful mind (821714)]

Isn't Sony the distributor, thus the violator of (L)GPL ?

Re:Stranger and stranger

[BushCheney08 (917605)]

IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code). Not to mention, they pulled the CDs from the shelves already, which they could say coincided with the revelation of copyright violations on the discs -- ie, immediate action was action. I'm not trying to defend them or their practices at all, I'm merely looking at it from a "who can be held accountable" point of view.

Re:Stranger and stranger

[JustOK (667959)]

It was Bush, wasn't it? I mean, he lied about the Windows Media Discs, didn't he? Or something?

Very Dangerous Reasoning

[isn't my name (514234)]

IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code).

You know, I think that this does make sense. However, this is a very dangerous line of reasoning. If you let Sony get off with no consequences for distributing stolen code, then you will never be able to prosecute any big corporatio for code copyright violations.

All a mega-corp need do is find a small, arms-length firm to launder the stolen code. Let that small firm actually steal it and then hand it on a silver platter to the mega-corp. If the mega-corp is caught, the small firm takes the hit and disappears in a puff of bankrupcy. Then mega-corp goes on to the next small firm.

If Sony truly didn't know about this, then they probably should not be liable for any statutory damages. However, they did distribute the code--which is technically a violation. Sony should be the one accountable for that violation and Sony should be able to sue First4Internet--unless of course First4Internet's license with Sony includes the standard indemnification clause like we see in most EULA's. In that case, Sony will be hoisted by their own petard--and it couldn't happen to a nicer group of people.

Re:Stranger and stranger

[Generic Guy (678542)]

ie, immediate action was action.

Except after the initial exposure of this rootkit in their products, Sony bigwigs were on NPR radio broadcast saying essentially (paraphrased) "What they don't know won't hurt them". I'd certainly content that constitutes delayed action, and possibly collusion. Plus the factoids coming out that this rootkit may have possibly been distributed by Sony for over a year now.

Regardless of who wrote it, Sony is still the one who deliberately distributed millions of CDs containing this malware. They should have done due diligence on their own product before shipping. They've supposedly stopped making CDs with XPC, but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again. Instead, they've done practically nothing (except some basic CYA by halting further production) and practically promised that they'll be trying this again in some form in the future. Hardly sounds like an 'innocent' party.

Sony certainly deserves to get their collective ass handed to them. Its just a shame it will have to happen through lawsuits and consumer boycotts, as you'd think they would learn not to abuse their own paying customers. I guess not.

P.S. Screw you Sony, your products, warranties, and service have been crap for years, but now I will actively avoid anything to do with you.

Re:Stranger and stranger

[Sique (173459)]

According to both LGPL and GPL the one you get the software from is the distributor. He is the one responsible for adhering to the licenses. He can of course sue his own software provider later, but for now it's Sony that distributed the programs.

If Sony is providing the source code for the programs and restates that the software is unter GPL (thus giving you the right to modify and distribute your modification), then everything is fine between Sony and you though.

There have been several similar cases in Europe about this, and in every case the GPL has been found valid, and the violation of the license has been considered healed, if the final distributor was able to get hold of the source code and distribute this one too under GPL.

Check GPL v2.0 section 4:
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

For Sony this means: They lost the right to distribute the Program, and they will be in violation of the GPL until they start to comply with the GPL themselves (e.g. distributing the source and allowing modifications and redistribution under GPL).

First4Internet could be in BIG trouble.

[meringuoid (568297)]

The Computer Misuse Act, 1990 [opsi.gov.uk]

3.(1) A person is guilty of an offence if
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.

I think First4Internet's little toy is designed to prevent or hinder access to programs and data held in a computer, don't you? And I really doubt that their click-through EULA constitutes authorisation to do so; it was fraudulently claimed that the Software was necessary to play the music, which was a plain lie as is shown by every Linux and Apple machine that plays it just fine without the rootkit installed.

I might add that even though these discs are not available in the UK, the Computer Misuse Act still holds [opsi.gov.uk].

Anyone know if we could possibly get Inspector Knacker to take a look at these felonious fellows?

The day the music died (err was killed by Sony)...

[Thud457 (234763)]

Sony CDs banned in the workplace [boingboing.net]

I've been chasing down several accounts of government agencies, companies, educational institutions and others banning the use of Sony CDs on their PCs, due to the security risks of having Sony's rootkit DRM infecting their PCs. One government ministry, Alberta Agriculture, has banned the use of music CDs altogether, since Sony is hardly the only music company crippling its CDs with sneaky, malicious software. Here are a couple examples:

It has been brought to our attention that there is significant risk to the security and the operation of UC computers in using Sony BMG produced CDs. For this reason, the use of Sony BMG produced CDs in University of Canberra computers is prohibited.

Here I thought this would only happen for "secure" workplaces. Sorta makes you feel sorry for SCO, they can't get anyone to even look at the crazy they're selling when Sony's got such a superior line of insane self-destructiveness.

Re:Stranger and stranger

[replicant108 (690832)]

Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet.

Actually, Sony were responsible for distributing the software.

That's why they're in trouble.

Re:Stranger and stranger

[cgenman (325138)]

Sony paid someone for a root kit to be secretly installed on people's machines. A root kit. You know, like paying a criminal to bug someone's phone. Sony damn well should have gone over that thing with a fine toothed comb, as it would have been trivial for First4Internet to get credit card numbers, access to bank accounts, corporate secrets, and anything else it wanted. Or, say, accidentally give access to that stuff to everyone in the world.

All parties involved in an illegal activity are responsible for that activity. Sony is no different.

Re:Stranger and stranger

[harrkev (623093)]

I am not sure that I would come down too hard on Sony for this...

The GPL violations lie firmly on the shoulders of F4I. If Sony did not disassemble the code or inspect the source, they had no way of knowing.

We certainly CAN blame Sony for throwing crap DRM at us in the first place, and we can criticize their PR response to this whole mess. But we cannot blame them for GPL stuff.

And as far as the uninstall fiasco goes, Sony did not write the software, so I am sure that they do not know how to remove it. They have to rely on F4I to supply the uninstall software. But, once again, it IS their fault that they did not pull the uninstall program earlier once the security holes had been found. But Sony is a corporation, with probably 1,000 layers of management, so even that is understandable.

I'm suprised that the execs at Sony......

[8127972 (73495)]

.... still have feet after shooting themselves in the foot so often.

Re: Digital Camera Code

[briggsb (217215)]

I wonder if it's the same code they used in their digital camera rootkit [bbspot.com].

Re:I'm suprised that the execs at Sony......

['nother poster (700681)]

They are both to blame. Comapany A says "Since a lot of companies want DRM, we'll give them some DRM. Who cares if it's a stupid and possibly illeagal implimentation, it will make us a buttload of cash." Company B comes along and says, "That's just what weve been looking for! We have no idea how it really works, and we don't care, but you buy a great lunch and the presentation used all of our required buzzwords."

"First 4 Internet" are idiots for thinking they were more clever than several million computer geeks around the world. Sony are idiots for not throughly researching exactly what the software they licensed did, and how it did it, as well as thinking they had some right to do as they wish with someone elses property.

A share of profits?

[RobinH (124750)]

This is GPL'd code, not LGPL'd, right?

Anyway, DVD John can actually sue Sony for all *revenue* that Sony made from the sale of the CDs, if I'm not mistaken (not just profits). That would grab them where it hurts!

Re:A share of profits?

[RobinH (124750)]

Actually I might be thinking patent infringement there. Seems like in a copyright case they could sue for statutory or actual damages if the material has been registered with the copyright office. The statutory damages might be $750 to $30,000 per infringement, but a judge can go above or below those numbers. Actual damages requires you to prove loss of income, which would be difficult in this case, since the code is distributed freely (in the sense of beer).

Re:A share of profits?

[Alchemar (720449)]

If it is GPL code then wouldn't it make the EULA unenforcable under the cannot add other restrictions clause?

Re:A share of profits?

[Anubis350 (772791)]

I wouldn't blame Sony too much since they're just trying to stop pirates from copying their music

*I* would. Are you seriously saying that if they committed copyright infringement to prevent copyright infringement it's ok because they're preventing copyright infringement? And that rootkitting thousands of machines worldwide is perfectly fine because "they're just trying to stop pirates"? wow! I want what you're smoking!

Who guessed it?

[OxygenPenguin (785248)]

I said right off the bat, that the Sony DRM package would be full of other's code. Seems to me that Sony hired some blackhats to get the job done for them. Violating the GPL is definitely the least of their worries, but just another strike against what is becoming an increasingly corrupt music giant.

Isn't that doubly illegal?

[meringuoid (568297)]

They've simultaneously violated DVD Jon's copyright on his code, and (in distributing it in the USA) violated the DMCA to boot!

Sony ought to be in some severely deep shit here. Of course they're a corporation, so they're mostly above the law, but we should still be able to get something to stick.

Re:Isn't that doubly illegal?

[Albanach (527650)]

Actually if the software came from first4internet and first4internet are based in the UK then this could be interesting.

Under UK law copyright infringement is a criminal offence - in other words, report it to the police and they are obliged to investigate.

So if the copyright holder were to let the police know of their concerns and supply some evidence, the company that authored the software could have an interesting visit.

Sony isn't the only one to lambaste here

[Gnascher (645346)]

Rember, Sony purchased the rootkit from first4internet. They wrote the software that is abusing the GPL.

Most folks don't review the sourcecode of software they purchase to determine if its license-tree is clean.

Sony definitely made a truly dumb move by utilizing this DRM software (and several other dumb moves subsequently), but lets not let First4Internet off the hook either.

Re:Sony isn't the only one to lambaste here

[LiquidCoooled (634315)]

1st4: "We have this super code which stops 'teh kiddies' from copying"

Sony: "Cool, lets see."

1st4: "Its already on, go ahead try and copy it"

Sony: "Oooooooh, and they won't find it will they?"

1st4: "Never. We are teh elite blackhats."

Sony: "Ok be quiet about that one, when you you be ready to ship?"

Re:Sony isn't the only one to lambaste here

[l2718 (514756)]

Not quite true -- Sony is "distributing" the software as defined by the GPL. Moreover, the work was preformed by First4Internet as agents of Sony. These both seem to indicate they are liable. On the DMCA side, they are "trafficking" in an anti-circumvention device (assuming the software does actually activate the codepath in question).

Wow. Just WOW.

[iainl (136759)]

From the Sony binary file:

"pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq."

ROT 13 it, and you get

"copyright (c) Apple Computer, Inc. All Rights Reserved."

You couldn't make it up, could you?

Re:Wow. Just WOW.

[Sam H (3979)]

I have to make sure everyone understands why this string is here. To be fair with Sony (or whoever they mandated), it is not an attempt from them to hide the code theft. Rather, it is an attempt by Apple to prevent not only code theft but also clean-room reimplementations.

Apple's encryption scheme includes the generation of a key. The important parts of this key come from the machine's unique hardware information. But to prevent (at least that's my only plausible explanation for it) people from reimplementing the scheme by using the same information, they also add this copyright string to the key generation. Reimplementing their protocol means the string has to be used.

We just store it ROT13'ed in VLC because it would be confusing to have an Apple copyright in our code. Although technically the string itself is created by Apple, it is too short to qualify for copyright.

Re:Wow. Just WOW.

[Sam H (3979)]

Why does Sony's DRM include code to break Apple's DRM? Are they just scanning for evidence that your code is running, staticly built the library because they were stealing some other aspect of your program, or do they actually want to decrypt Apple files?

It is likely that they are not using VLC's code but some other, smaller application that just happens to use our code (and which may or may not respect the GPL itself -- there may be unknown intermediaries in the story). The drms.c file is part of VLC's MPEG-4 / QuickTime demuxer, so it could be a music player or a media tagging utility, for instance.

Re:Wow. Just WOW.

[iainl (136759)]

The string is there because it's part of DVD Jon's code for stripping the DRM out of iTunes files, but yes - it's there all right. Matti Nikki points out the relevant offset in the article.

Contest

[saskboy (600063)]

I think the EFF should dream up a contest, and the most crazily ironic story involving DRM, copyright, and the law would win a prize.

Oh, too late! Sony already wrote the best story, and it's actually happening before our eyes! Truth is stranger than fiction. And Sony wins many massive lawsuits. Err, I mean they lose them, the prize is they get sued.

Oblig Simpsons

[Snamh Da Ean (916391)]

DVD Jon's Code In Sony Rootkit? "The ironing is delicious".

Is the DVD Jon code executed?

[logicnazi (169418)]

So I looked through the links and while one of the discoverers made it quite clear that the LAME code is not being used as data (never refereced). However, it was unclear to me if that was true for the DVD Jon code.

I mean the DVD john code seems like exactly the sort of thing one might want to search for on someone's computer to stop pirating. If indeed it is used only to identify the code it may be covered under fair use. It's an interesting legal question that I vaguely remember came up in virus/worm/spyware cases. Namely can a malware writter use some kind of simple code modification method to foul up simple hashes and then insist his copyright prevents anti-virus manufacturers from including large enough parts of the malware code to accurately detect it.

It might not be pleasent but if it's fair for the good guys to use code under fair use for detection then the bad guys get to do it as well.

Which reminds me I don't even remember the legal status of this DVD Jon code in the US. Is it illegal under the DMCA? Does this deny it copyright protection or a different measure.

Thank you, Sony!

[Stormwatch (703920)]

This is like watching a comedy movie, except I didn't have to pay for a ticket!

(wait, does it mean MPAA will come after me?)

Sony's apology

[RandoX (828285)]

Get it here. [sonybmg.com]

Ah, but who put it there?

[mustafap (452510)]

I assume that some grey, suited MBA type didn't put this code in. A geek did. Following on from that, they are almost certainly slashdot readers....

Does anyone have something they would like to tell us? ;o)

To understand recursion ...

[AnriL (657435)]

... one must first understand recursion.

Sony uses rootkit to enforce DRM which incorporates code to circumflect DRM and thus can sue itself under the DMCA. C'mon! If this gets any more convoluted or self-referential, either the universe will explode (and be replaced with something even more complicated) or Sony will disappear in a puff of logic.

So let me get this straight...

[acidblood (247709)]

When some cheapskate downloads copyrighted MP3s from a P2P network, it's `copyright infringement', but when Sony uses GPL'd code it's `stealing', right?

Here is the difference

[donscarletti (569232)]

When some cheapskate downloads copyrighted MP3s from a P2P network, it's `copyright infringement', but when Sony uses GPL'd code it's `stealing', right?

There are many types of copyright violations with very different types of severity:

The first type is when someone goes out and downloads a song, lets say "...And Justice for All" by Metalica they have simply avoided paying for it by getting it through illegal means. This does not equate to any directly measurable loss of revenue because when the effective price of something is lowered, people are more likely to get it. Thus it is not only likely that someone would not have bought the CD if the pirate mp3s were not available, but it is actually more likely than not. This is of cause not a wholly moral practice, but it is cirtainly not as bad as many other evils that exist in society today. These are the infractions that occur on Kazaa and the ilk.

The second type of infraction is where one duplicates the media on which intellectual property is contained and sells it themselves at an actual monitary price. This is very different since there is a very obvious minimum bounds of loss of revinue caused by this which is of cause the markup on the pirated media. Motivation also changes in this type since there is a very clear misdirection in the chain of money where the pirate gets a clear financial benifit wheras they recieve none in the first set. This type of violation is criminal in most juristictions whereas the first type is wholly civil.

The third and most severe case is where intellectual property is rebranded and its credit is misappropriated to another party. This historically has been a result of industrial espionage but today, open source software is very vulnarable to it. This is equivalant to the Kazaa casual pirate claiming that they wrote "...And Justice for All". It means that not only does the pirate get the profit for the sale of the intellectual property instead of the legal creator, but those who are convinced to use this thing in future by seeing the rebranded thing will never go to the real author to get a copy for themselves. In either of the previous two types there is a likelyhood that the author will eventually get money or whatever they are looking for (usually an ego boost in the case of OSS) but in the third type this is not the cause. This is a far more thorough missapropriation of this IP and thus the term "stealing" is far more appropriate.

The reason that these three types are so neatly ranked is that as you can see, each one is a subset of the type before. Not everyone gets annoyed by violations every layer since OSS doesn't mind first or second type occuring but hates the third kind. SUN doesn't mind the first type occuring but hates the second and third with Java. Public domain doesn't mind any of the three. But no one will let one layer slide that is above something that annoys them.

This case with sony is clearly not a third type violation (which I would call stealing) but is a second type (which I would call piracy) since Sony did not claim to write this software or even advertise its existence. The GPL says you can do second type scenarios on the condition that you distribute the source code. Sony redistributed this IP for money but did not distribute the source code AFAIK so they voilated the rules on this level. This puts them on par with sleezy bootleg vendors on street courners and ebay pirate CD vendors but significantly worse than some kid downloading Nelly mp3s off Kazaa and significantly better than the jerks behind CherryOS.

So there you have it, why downloading some dumb pop song off the internet isn't as bad as taking credit for someone elses hard work and making millions of dollars off it and why sony are half way in between on this one.

Tomorrow's headline

[Slashdoc Beta (925619)]

SCO Unix source code found in Sony Rootkit. I wish.

My god, at this rate SCO code will be found next

[icecow (764255)]

My god, at this rate SCO code will be found next

And BTW...

[Pakaran2 (138209)]

He knows [nanocrew.net]

what is even

[suezz (804747)]

sicker is that apparently the companies that we rely on for getting rid of root kits knew about the software since 2004 and did nothing. good going guys.

doesn't it really make you look forward to VISTA - it is going to have this crap all over the os - they are working with media companies so everyone has to use windows to watch TV or DVDs.

none of these companies care about the consumer - they are going to give us what they are going to give us and that's it.

this why I chose open source and always will. no one is going to tell me how to use my computer.

Re:PS3 vs. XBOX360

[meringuoid (568297)]

I initially was going to wait for PS3 but now I am boycotting Sony and will be getting a 360 in a week or so.

Dumping PS3 in favour of 360 because you think Sony's evil is kind of similar to dumping Saruman in favour of Sauron.

Personally, I'm rather taken with that nifty new controller they're putting on the Revolution...

Re:PS3 vs. XBOX360

[wpiman (739077)]

Who is more evil now? Sony or Microsoft?

Sony.....
Microsoft

Man- this is a tough one.

Re:PS3 vs. XBOX360

[at_slashdot (674436)]

"Who is more evil now? Sony or Microsoft?"

Microsoft installed more rootkits: Windows XP.

Re:No-one truly cares though

[TheWormThatFlies (788009)]

Look, it's very simple: people are kicking up a fuss about this because it is hypocritical for Sony to maintain its anti-copyright-infringement stance, and attempt to take the moral high ground in this regard, if Sony itself is infringing copyright left, right and centre.

If a politically powerful, fanatical anti-drug campaigner who constantly lobbied for pot-smokers to be thrown in jail for years and fined huge sums of money were caught smoking pot, I would not be surprised to see large numbers of people demanding that he be thrown in jail and fined millions, in keeping with the laws that he himself helped establish, even if they were pro-legalisation activists who firmly believe that the laws are unjust.

It is a challenge to the legal system to treat everyone equally under the law, and thus either apply an unfair, draconian law to everyone, including powerful parties who have previously used the law against their enemies, or to concede that the law is unfair and change it.

Re:No-one truly cares though

[99BottlesOfBeerInMyF (813746)]

I'd say that at least a third of the population condones non-commercial copyright infringement... The point is, when an act is accepted by a significant proportion of the population, chances are that act is ethical

So obviously Sony (or the company that wrote the code if you want to get pedantic) is right to have infringed upon DVD Jon's code.

How is this copyright infringement non-commercial? It was done for profit by an organization whose stated goal is to make money.

So it all comes down to slashdot isn't the place to go to if you want to hear intelligent debate about copyright laws.

True enough, but only because there are so many people like you don't seem able to comprehend the arguments put forth. A significant number of people infringe copyright non-commercially and that indicates that the will of the people might be that it should be legal. A significant number of people do not commercially infringe copyrights or condone it. I'd agree with that argument, as would many people. But to claim it is hypocritical is ridiculous. It is called a false dichotomy. There is no hypocrisy in believing that non commercial copyright infringement should be legal, but commercial should be illegal. There is no hypocrisy in believing our copyright system is corrupt and counter productive, but still believing a copyright system that is better designed can be useful. There is no hypocrisy in believing business and software patents are garbage, but traditional patents are a good idea. There is no hypocrisy in believing Toyota makes reliable cars but Ford does not. Please take the time to actually read and understand an argument someone puts forth before declaring them a hypocrite and ascribing a whole lot of motives to them, even though you obviously have no way of knowing them.