DVD Jon's Code In Sony Rootkit? 585
An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."
Sony isn't the only one to lambaste here (Score:4, Insightful)
Most folks don't review the sourcecode of software they purchase to determine if its license-tree is clean.
Sony definitely made a truly dumb move by utilizing this DRM software (and several other dumb moves subsequently), but lets not let First4Internet off the hook either.
Wow. Just WOW. (Score:5, Insightful)
"pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq."
ROT 13 it, and you get
"copyright (c) Apple Computer, Inc. All Rights Reserved."
You couldn't make it up, could you?
Re:Isn't that doubly illegal? (Score:3, Insightful)
Re:A share of profits? (Score:5, Insightful)
Re:Stranger and stranger (Score:5, Insightful)
Re:A share of profits? (Score:1, Insightful)
I think Sony already got the message since they're recalling all those CDs. I wouldn't blame Sony too much since they're just trying to stop pirates from copying their music, but they should've done a more thorough job of investigating the technology that First 4 Internet uses to accomplish that.
Re:Stranger and stranger (Score:5, Insightful)
Re:Stranger and stranger (Score:5, Insightful)
Actually, Sony were responsible for distributing the software.
That's why they're in trouble.
Re:Stranger and stranger (Score:5, Insightful)
The GPL violations lie firmly on the shoulders of F4I. If Sony did not disassemble the code or inspect the source, they had no way of knowing.
We certainly CAN blame Sony for throwing crap DRM at us in the first place, and we can criticize their PR response to this whole mess. But we cannot blame them for GPL stuff.
And as far as the uninstall fiasco goes, Sony did not write the software, so I am sure that they do not know how to remove it. They have to rely on F4I to supply the uninstall software. But, once again, it IS their fault that they did not pull the uninstall program earlier once the security holes had been found. But Sony is a corporation, with probably 1,000 layers of management, so even that is understandable.
Re:A share of profits? (Score:2, Insightful)
Is it actually using the code? (Score:3, Insightful)
If these are small segments, used for identifying and diabling the software, then the copyright defence could be fair use. And there's no way I'll say that copyright shoudl prevent this.
Re:Stranger and stranger (Score:5, Insightful)
I'm beginning to wonder... (Score:3, Insightful)
It was obviously a golden opportunity to bring the whole DRM BS to a head.
If that's the case, bravo!!
Re:A share of profits? (Score:5, Insightful)
*I* would. Are you seriously saying that if they committed copyright infringement to prevent copyright infringement it's ok because they're preventing copyright infringement? And that rootkitting thousands of machines worldwide is perfectly fine because "they're just trying to stop pirates"? wow! I want what you're smoking!
pissing contest. (Score:3, Insightful)
No this is far beyond a "vote with your wallet" story. sony BMG broke some laws they though were important for their business model, and now they should bleed for it.
Re:I'm suprised that the execs at Sony...... (Score:5, Insightful)
"First 4 Internet" are idiots for thinking they were more clever than several million computer geeks around the world. Sony are idiots for not throughly researching exactly what the software they licensed did, and how it did it, as well as thinking they had some right to do as they wish with someone elses property.
Re:Who guessed it? (Score:3, Insightful)
Err, no. Sony licensed a product that was developed by a bunch of ass hats. Sony, while incompetent, could sue the party they licensed the software from for many of their wohs.
-Rick
No-one truly cares though (Score:2, Insightful)
So obviously Sony (or the company that wrote the code if you want to get pedantic) is right to have infringed upon DVD Jon's code. However you won't see anywhere near as many posts saying as much in this article as the one I linked to. Why? Because GPL infringement affects a lot of members here, and they don't like the idea of their license being abused.
So it all comes down to slashdot isn't the place to go to if you want to hear intelligent debate about copyright laws. You'll just get a lot of chest thumping and hypocritical posts.
Re:So let me get this straight... (Score:2, Insightful)
It' actually quite simple. Those of us who weren't exposed to too much lead when we were children are able to work it out with only minimal thought. Here's how it goes :
Downloading a commercial mp3 = unauthorised copying = copyright infringement.
Downloading a commercial mp3, claiming that you recorded it and then selling it to others = theft.
I realise that I haven't directly mentioned software, GPLed or otherwise and that you will therefore have to put some thought into how the above rules might apply. That should keep you occupied for a couple of years during which you won't be able to earn cheap karma by parroting tired old comments that we've already seen a million times before. If we're lucky, you may even develop some original thoughts that you can share with us.
Re:First4Internet could be in BIG trouble. (Score:2, Insightful)
I question the methodology. As far as I can tell, he's reporting which DNS servers have resolved queries for First4Internet. And he's doing it after the scandal has been all over the online news sites, all over the blogosphere and links to First4Internet's sites posted in a couple of dozen +5 comments on /.
I'd be surprised if there was a DNS server left on earth that hadn't recently handled a query for First4Internet by now.
Re:Stranger and stranger (Score:4, Insightful)
Re:No-one truly cares though (Score:5, Insightful)
Look, it's very simple: people are kicking up a fuss about this because it is hypocritical for Sony to maintain its anti-copyright-infringement stance, and attempt to take the moral high ground in this regard, if Sony itself is infringing copyright left, right and centre.
If a politically powerful, fanatical anti-drug campaigner who constantly lobbied for pot-smokers to be thrown in jail for years and fined huge sums of money were caught smoking pot, I would not be surprised to see large numbers of people demanding that he be thrown in jail and fined millions, in keeping with the laws that he himself helped establish, even if they were pro-legalisation activists who firmly believe that the laws are unjust.
It is a challenge to the legal system to treat everyone equally under the law, and thus either apply an unfair, draconian law to everyone, including powerful parties who have previously used the law against their enemies, or to concede that the law is unfair and change it.
Re:Stranger and stranger (Score:5, Insightful)
All parties involved in an illegal activity are responsible for that activity. Sony is no different.
Very Dangerous Reasoning (Score:5, Insightful)
You know, I think that this does make sense. However, this is a very dangerous line of reasoning. If you let Sony get off with no consequences for distributing stolen code, then you will never be able to prosecute any big corporatio for code copyright violations.
All a mega-corp need do is find a small, arms-length firm to launder the stolen code. Let that small firm actually steal it and then hand it on a silver platter to the mega-corp. If the mega-corp is caught, the small firm takes the hit and disappears in a puff of bankrupcy. Then mega-corp goes on to the next small firm.
If Sony truly didn't know about this, then they probably should not be liable for any statutory damages. However, they did distribute the code--which is technically a violation. Sony should be the one accountable for that violation and Sony should be able to sue First4Internet--unless of course First4Internet's license with Sony includes the standard indemnification clause like we see in most EULA's. In that case, Sony will be hoisted by their own petard--and it couldn't happen to a nicer group of people.
Re:Stranger and stranger (Score:3, Insightful)
Re:A share of profits? (Score:3, Insightful)
Re:PS3 vs. XBOX360 (Score:3, Insightful)
Ok, I have friends who work at SCEA. You want to punish them? The idea to use f4i DRM wasn't theirs [fuck they don't even work for Sony Music].
So by your logic we should punish everyone by association. I can think of another group that did that. They were called Nazis
[sorry Godwin...]
Point is if you think this is bad don't buy Sony Music. If you think PS3 DRM is bad don't buy Sony gaming products. But don't just punish one group because another did something else.
And really, you should actually talk with sony folk. They may be under the same parent company but when you get down to the day-to-day work SCEA and Sony Music are different groups with different products and different goals.
As for the moral superiority of MSFT that the original post was suggesting [e.g. do I get 360 or ps3] this alone shouldn't be a deciding factor.
Pick whichever has the better games [for your taste] and fits in the budget.
Tom
Re:Stranger and stranger (Score:3, Insightful)
Bush didn't lie to the world, the CIA just enhanced a couple of reports with speculatively extrapolated contingency scenarios.
Satan isn't responsible for the fall of Man, Eve was the one who gave Adam the fruit.
Sony...naw, Sony is as pure as a freshly powdered baby's bottom.
Re:No-one truly cares though (Score:5, Insightful)
I'd say that at least a third of the population condones non-commercial copyright infringement... The point is, when an act is accepted by a significant proportion of the population, chances are that act is ethical
So obviously Sony (or the company that wrote the code if you want to get pedantic) is right to have infringed upon DVD Jon's code.
How is this copyright infringement non-commercial? It was done for profit by an organization whose stated goal is to make money.
So it all comes down to slashdot isn't the place to go to if you want to hear intelligent debate about copyright laws.
True enough, but only because there are so many people like you don't seem able to comprehend the arguments put forth. A significant number of people infringe copyright non-commercially and that indicates that the will of the people might be that it should be legal. A significant number of people do not commercially infringe copyrights or condone it. I'd agree with that argument, as would many people. But to claim it is hypocritical is ridiculous. It is called a false dichotomy. There is no hypocrisy in believing that non commercial copyright infringement should be legal, but commercial should be illegal. There is no hypocrisy in believing our copyright system is corrupt and counter productive, but still believing a copyright system that is better designed can be useful. There is no hypocrisy in believing business and software patents are garbage, but traditional patents are a good idea. There is no hypocrisy in believing Toyota makes reliable cars but Ford does not. Please take the time to actually read and understand an argument someone puts forth before declaring them a hypocrite and ascribing a whole lot of motives to them, even though you obviously have no way of knowing them.
Re:Sony isn't the only one to lambaste here (Score:2, Insightful)
Do you know if thier source trees are clean? One might suspect they are, even be pretty confident that they are
Here is the difference (Score:5, Insightful)
There are many types of copyright violations with very different types of severity:
The first type is when someone goes out and downloads a song, lets say "...And Justice for All" by Metalica they have simply avoided paying for it by getting it through illegal means. This does not equate to any directly measurable loss of revenue because when the effective price of something is lowered, people are more likely to get it. Thus it is not only likely that someone would not have bought the CD if the pirate mp3s were not available, but it is actually more likely than not. This is of cause not a wholly moral practice, but it is cirtainly not as bad as many other evils that exist in society today. These are the infractions that occur on Kazaa and the ilk.
The second type of infraction is where one duplicates the media on which intellectual property is contained and sells it themselves at an actual monitary price. This is very different since there is a very obvious minimum bounds of loss of revinue caused by this which is of cause the markup on the pirated media. Motivation also changes in this type since there is a very clear misdirection in the chain of money where the pirate gets a clear financial benifit wheras they recieve none in the first set. This type of violation is criminal in most juristictions whereas the first type is wholly civil.
The third and most severe case is where intellectual property is rebranded and its credit is misappropriated to another party. This historically has been a result of industrial espionage but today, open source software is very vulnarable to it. This is equivalant to the Kazaa casual pirate claiming that they wrote "...And Justice for All". It means that not only does the pirate get the profit for the sale of the intellectual property instead of the legal creator, but those who are convinced to use this thing in future by seeing the rebranded thing will never go to the real author to get a copy for themselves. In either of the previous two types there is a likelyhood that the author will eventually get money or whatever they are looking for (usually an ego boost in the case of OSS) but in the third type this is not the cause. This is a far more thorough missapropriation of this IP and thus the term "stealing" is far more appropriate.
The reason that these three types are so neatly ranked is that as you can see, each one is a subset of the type before. Not everyone gets annoyed by violations every layer since OSS doesn't mind first or second type occuring but hates the third kind. SUN doesn't mind the first type occuring but hates the second and third with Java. Public domain doesn't mind any of the three. But no one will let one layer slide that is above something that annoys them.
This case with sony is clearly not a third type violation (which I would call stealing) but is a second type (which I would call piracy) since Sony did not claim to write this software or even advertise its existence. The GPL says you can do second type scenarios on the condition that you distribute the source code. Sony redistributed this IP for money but did not distribute the source code AFAIK so they voilated the rules on this level. This puts them on par with sleezy bootleg vendors on street courners and ebay pirate CD vendors but significantly worse than some kid downloading Nelly mp3s off Kazaa and significantly better than the jerks behind CherryOS.
So there you have it, why downloading some dumb pop song off the internet isn't as bad as taking credit for someone elses hard work and making millions of dollars off it and why sony are half way in between on this one.
Re:Sony isn't the only one to lambaste here (Score:3, Insightful)
No, they really aren't. The owners are relevant because only the owners have a cause of action. The copyright status is relevant because without registration, only actual damages can be obtained. As the software is given away *for free*, that means that actual damages are $0. The *ONLY* remedy that could be granted is an order barring Sony from distributing the software.
The rights conferred by the LGPL apply between the recipient of the material and the distributor.
Actually, that's irrelevant.
They should have checked (yes I know that's hard, but copyright law doesn't care about "hard").
Wrong, copyright law *DOES* care about "hard". Sony was expected to perform due dilligence. Due dilligence includes things like vetting the contract and license from First4Internet. It does not include things such as reverse-engineering the software and scanning the result against every piece of software in existance, which could also be dual-licensed, in an attempt to see if there might be a match somewhere.
If you believe otherwise, please explain how Walmart, Best Buy, Amazon, and *EVERY OTHER RETAILER* that distributed these CDs are also not liable, as they distributed the software too.
as a recipient of the software from Sony, your beef would be with Sony, not F4I.
As a recipient of the software, you don't have a beef with *anyone*. Only the *authors* can bring suit for copyright infringement.
Everything I posted is relevant to the issue at hand. You claiming "it's irrelevant" doesn't change that. All you're doing is showing your ignorance of copyright law.
those people can obtain damages on the basis of sales already made.
No, they can't. That's the whole point of my post. You can only claim *actual* damages unless you've registered your copyright. The actual damages in this case is $0.
copyright exists whether registered or not.
Copyright might exist (please show where I said it didn't) - but unless you register your copyright, all you can sue for is *actual* damages, which (in this case) don't exist.
what is even (Score:5, Insightful)
doesn't it really make you look forward to VISTA - it is going to have this crap all over the os - they are working with media companies so everyone has to use windows to watch TV or DVDs.
none of these companies care about the consumer - they are going to give us what they are going to give us and that's it.
this why I chose open source and always will. no one is going to tell me how to use my computer.
Re:Wow. Just WOW. (Score:5, Insightful)
It is likely that they are not using VLC's code but some other, smaller application that just happens to use our code (and which may or may not respect the GPL itself -- there may be unknown intermediaries in the story). The drms.c file is part of VLC's MPEG-4 / QuickTime demuxer, so it could be a music player or a media tagging utility, for instance.
Even if it was copyrighted (Score:3, Insightful)
Even if the string was copyrightable, your use is purely functional, and thus not subject to copyright laws in this case.
See Sega Vs Accolade [harvard.edu]
Nope (Score:3, Insightful)
Are you saying DVD Jon doesn't have the same rights as Sony?
Re:A share of profits? (Score:3, Insightful)
However, the people who actually had their car blow up can sue for lost wages, medical expenses, damages, and in the case of the US, "pain and suffering". That is where the big bucks are paid.
In the case of the CDs, it's two different issues. The consumers are harmed by the product, and they could sue, which is why you see the class action suits. However, this article is talking about the copyright infringement, which has nothing to do with the consumer, and everything to do with the copyright holder vs. Sony (and first 4 internet, perhaps). Doing a recall of the CDs won't compensate the copyright holder for the copyright violation. The copyright holder can sue for statutory or actual damages caused by the copyright infringement simply because Sony distributed a copyrighted work that didn't belong to them.
Re:Stranger and stranger (Score:2, Insightful)
Re:A share of profits? (Score:3, Insightful)
And what is the range of that amount? Although, likely Sony would settle first rather than admit in court that they infringed on someone else's copyrights.
But persume that it could be proven beyond a shadow of a doubt that they had infringed on the person's code. (That the code is there, and it is actively executed, and not used as a fingerprint) And assume also that for all effective matters there were no actual damages beyond the non-release of code.
What kind of statutory damages could be received?