DVD Jon's Code In Sony Rootkit?

An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."

Sony isn't the only one to lambaste here

[Gnascher]

Rember, Sony purchased the rootkit from first4internet. They wrote the software that is abusing the GPL.

Most folks don't review the sourcecode of software they purchase to determine if its license-tree is clean.

Sony definitely made a truly dumb move by utilizing this DRM software (and several other dumb moves subsequently), but lets not let First4Internet off the hook either.

Wow. Just WOW.

[iainl]

From the Sony binary file:

"pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq."

ROT 13 it, and you get

"copyright (c) Apple Computer, Inc. All Rights Reserved."

You couldn't make it up, could you?

Re:Isn't that doubly illegal?

[jim_v2000]

Sony will get a slap on the finger, if even that much. CD's aren't the only thing they sell, and really, for most people the whole rootkit thing doesn't matter. Heck, you still have to be pretty tech savvy to understand what the whole thing is about. I doubt this whole thing is on the top of Sony's list of issues...at least not for the company as a whole.

Re:A share of profits?

[RobinH]

Actually I might be thinking patent infringement there. Seems like in a copyright case they could sue for statutory or actual damages if the material has been registered with the copyright office. The statutory damages might be $750 to $30,000 per infringement, but a judge can go above or below those numbers. Actual damages requires you to prove loss of income, which would be difficult in this case, since the code is distributed freely (in the sense of beer).

Re:Stranger and stranger

[BushCheney08]

Bear in mind that Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet [xcp-aurora.com]. While we all should (rightfully) be pissed at Sony for including this on a bunch of their CDs, we should be equally as pissed (or moreso) at First 4 Internet for their (L)GPL violations and for making this product in the first place.

Re:A share of profits?

[Professor_UNIX]

Anyway, DVD John can actually sue Sony for all *revenue* that Sony made from the sale of the CDs, if I'm not mistaken (not just profits). That would grab them where it hurts!

I think Sony already got the message since they're recalling all those CDs. I wouldn't blame Sony too much since they're just trying to stop pirates from copying their music, but they should've done a more thorough job of investigating the technology that First 4 Internet uses to accomplish that.

Re:Stranger and stranger

[A beautiful mind]

Isn't Sony the distributor, thus the violator of (L)GPL ?

Re:Stranger and stranger

[replicant108]

Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet.

Actually, Sony were responsible for distributing the software.

That's why they're in trouble.

Re:Stranger and stranger

[harrkev]

I am not sure that I would come down too hard on Sony for this...

The GPL violations lie firmly on the shoulders of F4I. If Sony did not disassemble the code or inspect the source, they had no way of knowing.

We certainly CAN blame Sony for throwing crap DRM at us in the first place, and we can criticize their PR response to this whole mess. But we cannot blame them for GPL stuff.

And as far as the uninstall fiasco goes, Sony did not write the software, so I am sure that they do not know how to remove it. They have to rely on F4I to supply the uninstall software. But, once again, it IS their fault that they did not pull the uninstall program earlier once the security holes had been found. But Sony is a corporation, with probably 1,000 layers of management, so even that is understandable.

Re:A share of profits?

[AvitarX]

Except if there was a price he was willing to sell the code for rights to use in a closed source app that price would be the damages, no matter how crazy the price was, since it is in a closed source app and he got nothing.

Is it actually using the code?

[91degrees]

It could just be using extracts to identify the software. I mean, why would they want LAME and DeCSS on their CDs? They have no use. We don't need an MP3 encoder because any compressed copies will be already encoded in a DRM format. They really don't need to decode iTunes songs.

If these are small segments, used for identifying and diabling the software, then the copyright defence could be fair use. And there's no way I'll say that copyright shoudl prevent this.

Re:Stranger and stranger

[BushCheney08]

IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code). Not to mention, they pulled the CDs from the shelves already, which they could say coincided with the revelation of copyright violations on the discs -- ie, immediate action was action. I'm not trying to defend them or their practices at all, I'm merely looking at it from a "who can be held accountable" point of view.

I'm beginning to wonder...

[eth1]

...if some clever programmers at First4Internet with an agenda did this on purpose.

It was obviously a golden opportunity to bring the whole DRM BS to a head.

If that's the case, bravo!! :)

Re:A share of profits?

[Anubis350]

I wouldn't blame Sony too much since they're just trying to stop pirates from copying their music

*I* would. Are you seriously saying that if they committed copyright infringement to prevent copyright infringement it's ok because they're preventing copyright infringement? And that rootkitting thousands of machines worldwide is perfectly fine because "they're just trying to stop pirates"? wow! I want what you're smoking!

pissing contest.

[leuk_he]

You buy a cd from sony (or an artist...), not from some spyware compagny. And if f4internet blaimes 1 roque employee, will you accept that as a defense?

No this is far beyond a "vote with your wallet" story. sony BMG broke some laws they though were important for their business model, and now they should bleed for it.

Re:I'm suprised that the execs at Sony......

['nother poster]

They are both to blame. Comapany A says "Since a lot of companies want DRM, we'll give them some DRM. Who cares if it's a stupid and possibly illeagal implimentation, it will make us a buttload of cash." Company B comes along and says, "That's just what weve been looking for! We have no idea how it really works, and we don't care, but you buy a great lunch and the presentation used all of our required buzzwords."

"First 4 Internet" are idiots for thinking they were more clever than several million computer geeks around the world. Sony are idiots for not throughly researching exactly what the software they licensed did, and how it did it, as well as thinking they had some right to do as they wish with someone elses property.

Re:Who guessed it?

[RingDev]

"Seems to me that Sony hired some blackhats to get the job done for them."

Err, no. Sony licensed a product that was developed by a bunch of ass hats. Sony, while incompetent, could sue the party they licensed the software from for many of their wohs.

-Rick

No-one truly cares though

[aussie_a]

As per many comments made from slashdotters yesterday, [slashdot.org] here is a sample:

Widespread lawbreaking indicates a problem with the laws, and not with the crime. This is why copyright law is so ineffective.

On the other hand, anecdotally I'd say that at least a third of the population condones non-commercial copyright infringement

The point is, when an act is accepted by a significant proportion of the population, chances are that act is ethical

copyright theft does not have a victim, noone loses anything.

When so many people break the law, maybe there is something wrong with the law.

So obviously Sony (or the company that wrote the code if you want to get pedantic) is right to have infringed upon DVD Jon's code. However you won't see anywhere near as many posts saying as much in this article as the one I linked to. Why? Because GPL infringement affects a lot of members here, and they don't like the idea of their license being abused.

So it all comes down to slashdot isn't the place to go to if you want to hear intelligent debate about copyright laws. You'll just get a lot of chest thumping and hypocritical posts.

Re:So let me get this straight...

[Slashcrap]

When some cheapskate downloads copyrighted MP3s from a P2P network, it's `copyright infringement', but when Sony uses GPL'd code it's `stealing', right?

It' actually quite simple. Those of us who weren't exposed to too much lead when we were children are able to work it out with only minimal thought. Here's how it goes :

Downloading a commercial mp3 = unauthorised copying = copyright infringement.

Downloading a commercial mp3, claiming that you recorded it and then selling it to others = theft.

I realise that I haven't directly mentioned software, GPLed or otherwise and that you will therefore have to put some thought into how the above rules might apply. That should keep you occupied for a couple of years during which you won't be able to earn cheap karma by parroting tired old comments that we've already seen a million times before. If we're lucky, you may even develop some original thoughts that you can share with us.

Re:First4Internet could be in BIG trouble.

[meringuoid]

Are we certain they weren't available in the UK? Check out the map Dan Kaminsky did of the rootkit's detected prescence in Europe. The UK's almost solid red, indicating that the rootkit is most abundant there.

I question the methodology. As far as I can tell, he's reporting which DNS servers have resolved queries for First4Internet. And he's doing it after the scandal has been all over the online news sites, all over the blogosphere and links to First4Internet's sites posted in a couple of dozen +5 comments on /.

I'd be surprised if there was a DNS server left on earth that hadn't recently handled a query for First4Internet by now.

Re:Stranger and stranger

[bri2000]

That sort of defence might work for, say, a magazine cover disc that inadvertantly included a virus but not here. The inclusion of this software will have been a big thing for Sony. They will have paid to license the code from F4I and deliberately included it in their products. For them to say they didn't know what it did or that it didn't work as believed it did is no more of a defence than it would be for a car manufacturer to claim it isn't liable for it's vehicles catching fire because this is caused by a faulty fuel pump made by somebody else. Sony may be entitled to an indemnity from F4I (although when a company has shown themselves to be this incompetent I wouldn't be at all surprised if Sony forgot to demand this...) but that's a different matter (and probably worthless given the size of the mess). Where damage has been done it's been caused by a Sony product. Therefore Sony are liable. The fact they don't seem to have bothered with any sort of due dilligence on the software they were licensing which caused the damage is no defence.

Re:No-one truly cares though

[TheWormThatFlies]

Look, it's very simple: people are kicking up a fuss about this because it is hypocritical for Sony to maintain its anti-copyright-infringement stance, and attempt to take the moral high ground in this regard, if Sony itself is infringing copyright left, right and centre.

If a politically powerful, fanatical anti-drug campaigner who constantly lobbied for pot-smokers to be thrown in jail for years and fined huge sums of money were caught smoking pot, I would not be surprised to see large numbers of people demanding that he be thrown in jail and fined millions, in keeping with the laws that he himself helped establish, even if they were pro-legalisation activists who firmly believe that the laws are unjust.

It is a challenge to the legal system to treat everyone equally under the law, and thus either apply an unfair, draconian law to everyone, including powerful parties who have previously used the law against their enemies, or to concede that the law is unfair and change it.

Re:Stranger and stranger

[cgenman]

Sony paid someone for a root kit to be secretly installed on people's machines. A root kit. You know, like paying a criminal to bug someone's phone. Sony damn well should have gone over that thing with a fine toothed comb, as it would have been trivial for First4Internet to get credit card numbers, access to bank accounts, corporate secrets, and anything else it wanted. Or, say, accidentally give access to that stuff to everyone in the world.

All parties involved in an illegal activity are responsible for that activity. Sony is no different.

Very Dangerous Reasoning

[isn't my name]

IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code).

You know, I think that this does make sense. However, this is a very dangerous line of reasoning. If you let Sony get off with no consequences for distributing stolen code, then you will never be able to prosecute any big corporatio for code copyright violations.

All a mega-corp need do is find a small, arms-length firm to launder the stolen code. Let that small firm actually steal it and then hand it on a silver platter to the mega-corp. If the mega-corp is caught, the small firm takes the hit and disappears in a puff of bankrupcy. Then mega-corp goes on to the next small firm.

If Sony truly didn't know about this, then they probably should not be liable for any statutory damages. However, they did distribute the code--which is technically a violation. Sony should be the one accountable for that violation and Sony should be able to sue First4Internet--unless of course First4Internet's license with Sony includes the standard indemnification clause like we see in most EULA's. In that case, Sony will be hoisted by their own petard--and it couldn't happen to a nicer group of people.

Re:Stranger and stranger

[LurkerXXX]

If you bought the radios out of a guy with a van who was selling them to you for $2 apiece, yes, you would be liable. That's because there would be good reason to suspect something might be up with them if that were the case. If you bought them from a seemingly reputable store at near-market value and had no other indications that they were 'hot', a court is not going to find you liable because there is no way for you to know that they are hot, and no reason to suspect they were. As much as I'd love to see Sony get a huge smackdown in the court for this (because they deserve it for putting in software that they had to know was hidden from you and that you couldn't remove) I don't know how you are going to prove that Sony should have had reason to suspect that the software the 3rd party company sold them was 'hot'.

Re:A share of profits?

[Spy Hunter]

Forget the GPL; does the rootkit actually *use* this code? If so, then I think Aple has a pretty clear DMCA case against Sony, since they certainly didn't license FairPlay DRM for Sony to use. And Apple is much more likely than DVD Jon to have both the inclination *and* the means to start a big legal fight about it. Sony breaking Apple's DRM with their rootkit designed to protect their own DRM would be irony too delicious for words.

Re:PS3 vs. XBOX360

[tomstdenis]

You didn't really address my point at all. You said that punishing SCEA does not make sense, because Sony Music is a different division. I beg to differ, they are both part of the same corporation.

Ok, I have friends who work at SCEA. You want to punish them? The idea to use f4i DRM wasn't theirs [fuck they don't even work for Sony Music].

So by your logic we should punish everyone by association. I can think of another group that did that. They were called Nazis :-)

[sorry Godwin...]

Point is if you think this is bad don't buy Sony Music. If you think PS3 DRM is bad don't buy Sony gaming products. But don't just punish one group because another did something else.

And really, you should actually talk with sony folk. They may be under the same parent company but when you get down to the day-to-day work SCEA and Sony Music are different groups with different products and different goals.

As for the moral superiority of MSFT that the original post was suggesting [e.g. do I get 360 or ps3] this alone shouldn't be a deciding factor.

Pick whichever has the better games [for your taste] and fits in the budget.

Tom

Re:Stranger and stranger

[Urusai]

Walmart didn't hire those illegals, they just hired a company that employed illegals and made them live in the back of Walmart.

Bush didn't lie to the world, the CIA just enhanced a couple of reports with speculatively extrapolated contingency scenarios.

Satan isn't responsible for the fall of Man, Eve was the one who gave Adam the fruit.

Sony...naw, Sony is as pure as a freshly powdered baby's bottom.

Re:No-one truly cares though

[99BottlesOfBeerInMyF]

I'd say that at least a third of the population condones non-commercial copyright infringement... The point is, when an act is accepted by a significant proportion of the population, chances are that act is ethical

So obviously Sony (or the company that wrote the code if you want to get pedantic) is right to have infringed upon DVD Jon's code.

How is this copyright infringement non-commercial? It was done for profit by an organization whose stated goal is to make money.

So it all comes down to slashdot isn't the place to go to if you want to hear intelligent debate about copyright laws.

True enough, but only because there are so many people like you don't seem able to comprehend the arguments put forth. A significant number of people infringe copyright non-commercially and that indicates that the will of the people might be that it should be legal. A significant number of people do not commercially infringe copyrights or condone it. I'd agree with that argument, as would many people. But to claim it is hypocritical is ridiculous. It is called a false dichotomy. There is no hypocrisy in believing that non commercial copyright infringement should be legal, but commercial should be illegal. There is no hypocrisy in believing our copyright system is corrupt and counter productive, but still believing a copyright system that is better designed can be useful. There is no hypocrisy in believing business and software patents are garbage, but traditional patents are a good idea. There is no hypocrisy in believing Toyota makes reliable cars but Ford does not. Please take the time to actually read and understand an argument someone puts forth before declaring them a hypocrite and ascribing a whole lot of motives to them, even though you obviously have no way of knowing them.

Re:Sony isn't the only one to lambaste here

[Gnascher]

My company uses software provided by Microsoft, Macromedia, Adobe, etc... All I know is we have licenses to these applications, and license to distribute anything we might create with these applications (where appropriate).

Do you know if thier source trees are clean? One might suspect they are, even be pretty confident that they are ... but you just don't know for sure.

Here is the difference

[donscarletti]

When some cheapskate downloads copyrighted MP3s from a P2P network, it's `copyright infringement', but when Sony uses GPL'd code it's `stealing', right?

There are many types of copyright violations with very different types of severity:

The first type is when someone goes out and downloads a song, lets say "...And Justice for All" by Metalica they have simply avoided paying for it by getting it through illegal means. This does not equate to any directly measurable loss of revenue because when the effective price of something is lowered, people are more likely to get it. Thus it is not only likely that someone would not have bought the CD if the pirate mp3s were not available, but it is actually more likely than not. This is of cause not a wholly moral practice, but it is cirtainly not as bad as many other evils that exist in society today. These are the infractions that occur on Kazaa and the ilk.

The second type of infraction is where one duplicates the media on which intellectual property is contained and sells it themselves at an actual monitary price. This is very different since there is a very obvious minimum bounds of loss of revinue caused by this which is of cause the markup on the pirated media. Motivation also changes in this type since there is a very clear misdirection in the chain of money where the pirate gets a clear financial benifit wheras they recieve none in the first set. This type of violation is criminal in most juristictions whereas the first type is wholly civil.

The third and most severe case is where intellectual property is rebranded and its credit is misappropriated to another party. This historically has been a result of industrial espionage but today, open source software is very vulnarable to it. This is equivalant to the Kazaa casual pirate claiming that they wrote "...And Justice for All". It means that not only does the pirate get the profit for the sale of the intellectual property instead of the legal creator, but those who are convinced to use this thing in future by seeing the rebranded thing will never go to the real author to get a copy for themselves. In either of the previous two types there is a likelyhood that the author will eventually get money or whatever they are looking for (usually an ego boost in the case of OSS) but in the third type this is not the cause. This is a far more thorough missapropriation of this IP and thus the term "stealing" is far more appropriate.

The reason that these three types are so neatly ranked is that as you can see, each one is a subset of the type before. Not everyone gets annoyed by violations every layer since OSS doesn't mind first or second type occuring but hates the third kind. SUN doesn't mind the first type occuring but hates the second and third with Java. Public domain doesn't mind any of the three. But no one will let one layer slide that is above something that annoys them.

This case with sony is clearly not a third type violation (which I would call stealing) but is a second type (which I would call piracy) since Sony did not claim to write this software or even advertise its existence. The GPL says you can do second type scenarios on the condition that you distribute the source code. Sony redistributed this IP for money but did not distribute the source code AFAIK so they voilated the rules on this level. This puts them on par with sleezy bootleg vendors on street courners and ebay pirate CD vendors but significantly worse than some kid downloading Nelly mp3s off Kazaa and significantly better than the jerks behind CherryOS.

So there you have it, why downloading some dumb pop song off the internet isn't as bad as taking credit for someone elses hard work and making millions of dollars off it and why sony are half way in between on this one.

Re:Sony isn't the only one to lambaste here

[schon]

For the purposes of this abuse of the LPGL, the owners and copyrights of material on the CD are irrelevant.

No, they really aren't. The owners are relevant because only the owners have a cause of action. The copyright status is relevant because without registration, only actual damages can be obtained. As the software is given away *for free*, that means that actual damages are $0. The *ONLY* remedy that could be granted is an order barring Sony from distributing the software.

The rights conferred by the LGPL apply between the recipient of the material and the distributor.

Actually, that's irrelevant.

They should have checked (yes I know that's hard, but copyright law doesn't care about "hard").

Wrong, copyright law *DOES* care about "hard". Sony was expected to perform due dilligence. Due dilligence includes things like vetting the contract and license from First4Internet. It does not include things such as reverse-engineering the software and scanning the result against every piece of software in existance, which could also be dual-licensed, in an attempt to see if there might be a match somewhere.

If you believe otherwise, please explain how Walmart, Best Buy, Amazon, and *EVERY OTHER RETAILER* that distributed these CDs are also not liable, as they distributed the software too.

as a recipient of the software from Sony, your beef would be with Sony, not F4I.

As a recipient of the software, you don't have a beef with *anyone*. Only the *authors* can bring suit for copyright infringement.

Everything I posted is relevant to the issue at hand. You claiming "it's irrelevant" doesn't change that. All you're doing is showing your ignorance of copyright law.

those people can obtain damages on the basis of sales already made.

No, they can't. That's the whole point of my post. You can only claim *actual* damages unless you've registered your copyright. The actual damages in this case is $0.

copyright exists whether registered or not.

Copyright might exist (please show where I said it didn't) - but unless you register your copyright, all you can sue for is *actual* damages, which (in this case) don't exist.

what is even

[suezz]

sicker is that apparently the companies that we rely on for getting rid of root kits knew about the software since 2004 and did nothing. good going guys.

doesn't it really make you look forward to VISTA - it is going to have this crap all over the os - they are working with media companies so everyone has to use windows to watch TV or DVDs.

none of these companies care about the consumer - they are going to give us what they are going to give us and that's it.

this why I chose open source and always will. no one is going to tell me how to use my computer.

Re:Wow. Just WOW.

[Sam H]

Why does Sony's DRM include code to break Apple's DRM? Are they just scanning for evidence that your code is running, staticly built the library because they were stealing some other aspect of your program, or do they actually want to decrypt Apple files?

It is likely that they are not using VLC's code but some other, smaller application that just happens to use our code (and which may or may not respect the GPL itself -- there may be unknown intermediaries in the story). The drms.c file is part of VLC's MPEG-4 / QuickTime demuxer, so it could be a music player or a media tagging utility, for instance.

Even if it was copyrighted

[bluGill]

Even if the string was copyrightable, your use is purely functional, and thus not subject to copyright laws in this case.

See Sega Vs Accolade [harvard.edu]

Nope

[Kythe]

It's not theft. It's copyright infringement, and Sony and others sue hundreds of people every month for many thousands of dollars over it.

Are you saying DVD Jon doesn't have the same rights as Sony?

Re:A share of profits?

[RobinH]

Well, when the vehicles have a tendency to blow up, they MIGHT do a recall. Ford did not do the recall with the Pinto because they calculated that paying the lawsuits would be cheaper than the cost of fixing the problem. I wonder how they accounted for the public relations backlash though...

However, the people who actually had their car blow up can sue for lost wages, medical expenses, damages, and in the case of the US, "pain and suffering". That is where the big bucks are paid.

In the case of the CDs, it's two different issues. The consumers are harmed by the product, and they could sue, which is why you see the class action suits. However, this article is talking about the copyright infringement, which has nothing to do with the consumer, and everything to do with the copyright holder vs. Sony (and first 4 internet, perhaps). Doing a recall of the CDs won't compensate the copyright holder for the copyright violation. The copyright holder can sue for statutory or actual damages caused by the copyright infringement simply because Sony distributed a copyrighted work that didn't belong to them.

Re:Stranger and stranger

[AlphaSys]

You're of course assuming SONY didn't do the due dilligence and decide to go ahead anyway. They may have known but decided "hey it's binary AND it's hidden. Nobody's gonna find it, and if they do, they'll be so pissed about what it does they won't even worry about what it used to do it. Seriously, if somebody finds us out, we'll have bigger problems than the (L)GPL." Which they do, only it's with two parties: the infringed against (separate problem, really GPL has nought to do with it) and the very pissed off and seriously impacted customers. There are two massive and divergent cases here, and SONY deserves everything it gets with both of them.

Re:A share of profits?

[Krach42]

The copyright holder can sue for statutory or actual damages caused by the copyright infringement simply because Sony distributed a copyrighted work that didn't belong to them.

And what is the range of that amount? Although, likely Sony would settle first rather than admit in court that they infringed on someone else's copyrights.

But persume that it could be proven beyond a shadow of a doubt that they had infringed on the person's code. (That the code is there, and it is actively executed, and not used as a fingerprint) And assume also that for all effective matters there were no actual damages beyond the non-release of code.

What kind of statutory damages could be received?