Sony Rootkit Allegedly Contains LGPL Software 623
Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.
Re:Uuuuuh (Score:3, Informative)
Re:Uuuuuh (Score:5, Informative)
No. You can link LGPLed software with proprietary software, but you must still distribute the sources of at least the free software (free as in RMS).
Re:Uuuuuh (Score:5, Informative)
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.
Nope. (Score:5, Informative)
That being said, from what I've read it appears that the Sony DRM code may be looking for LAME on the system (to block it from working on their 'protected' stuff) but doesn't appear to actually contain LAME code.
... or maybe not (Score:2, Informative)
Just minutes before heading over to Slashdot I read this [the-interweb.com] which concludes that while Sony's software does contain some of the LAME tables, it doesn't seem to use them.
Re:Uuuuuh (Score:2, Informative)
The LGPL allows linking of proprietary software against Free libraries, however you must provide source code for the Free library or a means of getting it and you must "give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License." In addition "You must supply a copy of this License" (the LGPL.)
The question is if they linked against LAME or just pulled out a pattern string, and at what point it becomes "use" of the library. They still ought to have complied with the LGPL to be on the safe side if you ask me though.
Re:Well, hang on a minute (Score:2, Informative)
I wonder if someone has made a request to the software firm that wrote the software originally? Because the code is statically linked, they will of course have to make their entire software source available - if I understand this right.
Re:Uuuuuh (Score:5, Informative)
No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.
More info (Score:5, Informative)
Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/ [hack.fi]
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.
Almost. (Score:5, Informative)
Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all
There is no violation involved (Score:1, Informative)
Re:Sony Rootkit (Score:2, Informative)
It's important to remember that "copy-right infringemnt" != "stealing", and if people on /. can't keep this straight, how can anyone expect Joe Public to keep it straight?
This is as much a PR battle as a legal battle, and any succesful commercial organisation knows a thing or two about marketing/spin. And obviously judging by the crap they _sell_ (read push-on-consumers) as music and art, the *AA's must be succesful marketers.
Re:Well, hang on a minute (Score:4, Informative)
"operating system on which the executable runs" (Score:5, Informative)
<sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>
The GNU General Public License [gnu.org] and the GNU Lesser General Public License [gnu.org] have an operating system exemption. The exact wording of the exemption in both licenses is as follows:
True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.
Re:There is no violation involved (Score:2, Informative)
LAME is in there, just not in GO.EXE (Score:5, Informative)
Article Text (dewinter.com dead) (Score:2, Informative)
Posted on Thursday, November 10 @ 11:44:47 CET by brenno [dewinter.com]
GNU / GPL (Copyleft) [slashdot.org] The spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.
It turns out that the rootkit contains pieces of code that are identical to LAME [mp3dev.org], an open source mp3-encoder, and thereby breach the license.
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.Sony complied with non of these demands, but delivered just an executable program. A computerexpert, whose name is known by the redaction, discovered that the cd "Get Right With The Man" by "Van Zant" contains strings from the library version.c of Lame. This can be conluded from the string: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 ".
But the expert has more proof. For example, the executable program go.exe contains a so called array largetbl. This is a part used in the module tables.c of libmp3lame.
This discovery can have far-stretching consequences for the music giant, who claims only to protect copyrights. Previously, judges in Germany already forced various companies to release source code to the public and to deliver the goods necessary for compiling. It is also possible to demand financial compensation for damages.
Meanwhile, Other details are also becoming clear. The Electronic Frontier Foundation [eff.org] complains that the spyware makes the legal listening to the music on iPods impossble. The organisation is busy making a list of cds [eff.org] containing the hidden software and publishes this on her website.
Various calls to SonyBMG remained unanswered despite promises to call back.
Re:It serves them right! (Score:2, Informative)
PLEASE, EDITORS CHECK GRAMMAR AND SPELLING (Score:1, Informative)
... However, the source code has not also been
distrbuted, hence breaching the license. Here is an english translation of the page....
sigh,In Case Anybody's Losing Track (Score:5, Informative)
Re:LGPL (Score:5, Informative)
Re:LGPL (Score:3, Informative)
I believe you should shut up, stop relying on hearsay and read the license. Section 4 most clearly states:
Re:"operating system on which the executable runs" (Score:5, Informative)
Re:It even has some GPL compnonets (Score:1, Informative)
"The license of the mpg123 player is GPL and the license of the mpglib inside the mpg123 package is LGPL."
Or is wikipedia wrong...
It's getting pulled anyhow (Score:5, Informative)
http://www.usatoday.com/tech/news/computersecurit
Jerry
http://www.cyvin.org/ [cyvin.org]
outdated info, it's LGPL nowadays (Score:5, Informative)
Re:Glee (Score:5, Informative)
Re:Glee (Score:2, Informative)
Really? From the BBC yesterday,
http://news.bbc.co.uk/1/hi/technology/4434852.stm [bbc.co.uk]
Re:Wrong. Because the best-kept secret about LGPL. (Score:3, Informative)
Note the words "may be". Copyright law is funny. Using things that are necessary to interoperate (e.g. simple definitions of constants and function prototypes) is not a problem from a copyright perspective (c.f. "scenes a faire"). If there's only one way to express an idea (e.g. "errno.h", which maps POSIX specified numbers to POSIX specified constant names), it's called "merger" and is not subject to copyright.
Now, if the header file contains substantial code in its own right, either in the form of code that compiles or just macros, it's possible that a case might be made that the resultant object file might be considered a derived work (though note that the other source code is expressly not).
Indeed, there might be a case to be made that dynamic linking doesn't create a derived work, and that would make the GPL legally equivalent to the LGPL. But no one's tried to make that case in a court yet.
Re:LGPL (Score:3, Informative)
The LGPL does not require you to give anyone access to the non-free parts you linked with it. Only if you modify the library itself you are required to give access to the sources of said library, not to the source of the program you link with that library.
So I don't see why Sony is violating the LGPL here. As you can download the LGPLed library from sourceforge, its freely accesssible, no?
angel'o'sphere
P.S. I did not buy CDs since years and since iTunes I don't need any CDs anymore anyway.
Re:LAME encoder (Score:4, Informative)
Isn't the LAME encoder an MP3 encoder that still needs to be licensed from Thompson?
In short, No!
Longer version: According to Dave Arland, a U.S. spokesman for Thomson Multimedia - 'its policy has always been to allow free use of the company's MP3 patents in "freely distributable software"'
Newsforge Article [newsforge.com]
Re:Reverse engineering (Score:2, Informative)
Now that Muzzy has the facts that were obtained legally, using them is free. You can't violate an EULA by reading a website criticizing the software.
Re:Notification? (Score:2, Informative)
Re:What does the rootkit do when it detects LAME? (Score:3, Informative)
Re:Glee (Score:3, Informative)
LAME is for research/education only (Score:1, Informative)
Re:Code vs metadata (Score:5, Informative)
You are way off. "Fair use" isn't a specific law, it is a set of factors that must be considered in a copyright infringement case. Read up on it. [stanford.edu] You can't definitively say "there's no fair use law covering this" because fair use is non-specific. It's a huge grey area.
Re:Not Sony (Score:5, Informative)
In court, damages would be determined based upon the length of time when you were told you were in violation, and when you decided to correct this behavior.
If you were warned that you were in violation, today, and correct the violation in a week, or stop distributing the code in a month (as soon as reasonably possible) damages would be 'negligible'.
If you were warned that you were in violation, then ignored it indefinitely, until the matter was brought up in court, that would be considered willfully infringing. There would be damages, but of a limited amount, and an injunction against you for this kind of behavior.
If you were warned that you were in violation, then you denied it, then you tried to disprove it, then you counter-sued, then you ignored it, attempted to settle, caused settlement negotiations to break down, filed to have the hearing moved to a different jurisdiction, etc etc, the court could be persuaded to lean towards the '$100,000 per CD copyright fine'.
The court is given a fair amount of leeway in deciding this kind of thing. Behave badly, and unless you have a crack legal team, you'll get slapped. Judges, regardless of whether they are right wing or left wing have a _very_ serious sense of fairness. Fuck with some one in a willful way, and play with them in court to prolong your profiteering, and a judge _will_ come down on you hard.
Hilariously, this seemed to work too well for Microsoft. They got the judge so damn pissed off that had to reverse his decision. In my opinion, however, you'll never see this happen again. No judge will make the kind of comments that were made in that case.
Re:Notification? (Score:1, Informative)
WRONG WRONG WRONG (Score:3, Informative)
You also have to let people request it by mail charging only a minimal fee.
These are DISJUNCTIVE positions. You only need to do one, not all of them.
Saying "we have used unmodified versions of the LGPL library XY, and that you can obtain them from the website of the project which was at __url__ as of __date__"
*IS* sufficient. The automatic requirement to redistribute the LGPLed code is not included anywhere in the LGPL code. Were it, it would say that you must redistribute the source code for the LGPL project if you release binaries.
This is not the case. If you haven't made any changes to the LGPL code, then there is no reason to redistribute the source code, and there is no REQUIREMENT either.
Re:Uuuuuh (Score:4, Informative)
Even the methodology used by the sysinternals dude, of analyzing the kernel call vector to find the rootkit (by locating addresses pointing outside of the kernel) is nowhere near bulletproof. We're coming up on the 5th inning of the apocalypse of Windows. Soon a Mac will look cheap when you compare it to the time consuming weekly reformat/reinstall cycles that lie just beyond the horizon.