DVD Jon's Code In Sony Rootkit?

An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."

A share of profits?

[RobinH]

This is GPL'd code, not LGPL'd, right?

Anyway, DVD John can actually sue Sony for all *revenue* that Sony made from the sale of the CDs, if I'm not mistaken (not just profits). That would grab them where it hurts!

Who guessed it?

[OxygenPenguin]

I said right off the bat, that the Sony DRM package would be full of other's code. Seems to me that Sony hired some blackhats to get the job done for them. Violating the GPL is definitely the least of their worries, but just another strike against what is becoming an increasingly corrupt music giant.

Isn't that doubly illegal?

[meringuoid]

They've simultaneously violated DVD Jon's copyright on his code, and (in distributing it in the USA) violated the DMCA to boot!

Sony ought to be in some severely deep shit here. Of course they're a corporation, so they're mostly above the law, but we should still be able to get something to stick.

Stranger and stranger

[sgant]

This story get's weirder by the minute.

Though it wouldn't happen in a million years, I'd like to think this will bring Sony to it's knees. It won't, but someone can dream.

Not that I had anything against Sony in the first place, but since this crap they threw out there and expected everyone to just "take it", they need to be slapped and slapped often.

They haven't even apologized yet. At least I haven't seen it. Though just saying "sorry" doesn't cut it anymore as thousands of computers are now vulnerable in the world due to their greed.

Re:Sony isn't the only one to lambaste here

[l2718]

Not quite true -- Sony is "distributing" the software as defined by the GPL. Moreover, the work was preformed by First4Internet as agents of Sony. These both seem to indicate they are liable. On the DMCA side, they are "trafficking" in an anti-circumvention device (assuming the software does actually activate the codepath in question).

Re:PS3 vs. XBOX360

[Anonymous Coward]

That's completely retarded. The people responsible for the PS3 most likely have absolutely nothing to do with any of this. You might as well boycott all companies based in Japan since Sony is based in Japan. Or better yet, boycott all companies everywhere since buying anything could potentially improve the economy, which would help out Sony.

First4Internet could be in BIG trouble.

[meringuoid]

The Computer Misuse Act, 1990 [opsi.gov.uk]

3.(1) A person is guilty of an offence if
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.

I think First4Internet's little toy is designed to prevent or hinder access to programs and data held in a computer, don't you? And I really doubt that their click-through EULA constitutes authorisation to do so; it was fraudulently claimed that the Software was necessary to play the music, which was a plain lie as is shown by every Linux and Apple machine that plays it just fine without the rootkit installed.

I might add that even though these discs are not available in the UK, the Computer Misuse Act still holds [opsi.gov.uk].

Anyone know if we could possibly get Inspector Knacker to take a look at these felonious fellows?

Re:A share of profits?

[Alchemar]

If it is GPL code then wouldn't it make the EULA unenforcable under the cannot add other restrictions clause?

Let it be and Sony will reign in the RIAA

[Anonymous Coward]

If I were Jon, I'd see this as a simple question of aquiring legal immunity. When Sony (a member of RIAA) knows that they're going to face a multi-million dollar lawsuit the very minute the RIAA trespasses onto him again, they'll make sure that it won't happen. Jon can live forever happily in the knowledge that he can code whatever the hell pleases him, and Sony gets to walk away (somewhat) unblemished.

Weird

[Anonymous Coward]

It's as if the First4Internet purposely created the most vile collection of stolen snippets and sold it to Sony. How much did they get paid for this poison pill? They may have done it on purpose. Is it malice or incompetence?

I can't help, and I know I'm not the only one....

[HerculesMO]

laughing my ass off. I am sitting at work reading this and busting out in laughter. Granted, I can't explain this idiocy to near anybody at work and it's a totally 'nerd' joke, but you know what... it's DAMN funny!

Re:Isn't that doubly illegal?

[Albanach]

Actually if the software came from first4internet and first4internet are based in the UK then this could be interesting.

Under UK law copyright infringement is a criminal offence - in other words, report it to the police and they are obliged to investigate.

So if the copyright holder were to let the police know of their concerns and supply some evidence, the company that authored the software could have an interesting visit.

Is the DVD Jon code executed?

[logicnazi]

So I looked through the links and while one of the discoverers made it quite clear that the LAME code is not being used as data (never refereced). However, it was unclear to me if that was true for the DVD Jon code.

I mean the DVD john code seems like exactly the sort of thing one might want to search for on someone's computer to stop pirating. If indeed it is used only to identify the code it may be covered under fair use. It's an interesting legal question that I vaguely remember came up in virus/worm/spyware cases. Namely can a malware writter use some kind of simple code modification method to foul up simple hashes and then insist his copyright prevents anti-virus manufacturers from including large enough parts of the malware code to accurately detect it.

It might not be pleasent but if it's fair for the good guys to use code under fair use for detection then the bad guys get to do it as well.

Which reminds me I don't even remember the legal status of this DVD Jon code in the US. Is it illegal under the DMCA? Does this deny it copyright protection or a different measure.

Re:A share of profits?

[daviddennis]

The damages are near limitless.

$30,000 per infringement means $30,000 per sale of each CD. This is how they got to such huge damage claims in the peer to peer wars.

Sony's in genuine trouble on this one, and no matter what they look like hypocrites.

I have the strangest feeling DVD Jon's current boss knows a few good lawyers, so this won't be swept under the rug.

D

Sony VAIOs

[Anonymous Writer]

Does anybody know if Sony pre-installs this rootkit in the computers they sell? I thought their laptops were good products, and normally would be among my choices if I were to get a new one (slight possibility I may want to get a Windows laptop), but this whole rootkit thing changes that. If they so blatantly forced it onto people's computers through music CDs, even trying to on Macs, then I don't imagine they would have any qualms about forcing it onto their computer buyers as well.

Re:Isn't that doubly illegal?

[Hurricane78]

Well...if you don't know it yet: Sony is DYING!
They are struggling on the border of death for years now... and it ain't got any better...
So you don't need a *that* big thing to bring sony to fall...

Let's all wish it happens... some time it has to start to become better for us...

Re:Stranger and stranger

[scoove]

Bear in mind that Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet.

Let Sony say that to the court, perhaps after hearing several hours of testimony from parents of minor children who had to settle with the RIAA (which Sony supports) for $10,000 or more for intellectual property theft actions of their children they were unaware of.

Let's see... Sony and the RIAA estimate the value of a stolen tune at $105,000 or so, times the number of duplicated copies. Guessing Sony's latest DRM oops at only 50,000 copies shipped, that's 5.25 billion Sony owes to those whom they infringed. And don't forget, just as one can have more than one P2P file on a PC (at $105K value each), each party who was damaged by Sony's apparent theft should be entitled to a cut at these prices.

And unlike the parents Sony and the RIAA chased down, Sony has deep pockets and a higher standard given their full knowledge through RIAA persecution that intellectual property theft is wrong.

*scoove*

Re:Ah, but who put it there?

[canuck57]

I assume that some grey, suited MBA type didn't put this code in. A geek did.

The grey suited MBA paid for it to be done and the geek did what he was paid to do. And obviously Sony BMG marketing would have to approve as it is a change in their product. Legal would have been involved to license the code. Upper management would either have to put their heads in the sand or approve it.

I don't know what world your from but geeks don't have a rats ass of influence with senior management. If a brain dead CSO looked at this he might have said it may be in violation of section 1030 of the Computer Fraud and Abuse Act, targeted paying customers and may contain copyright violations.

Conspiracy to subvert users who buy their product is likely. But this story is so ironically cute and humorous it will go down in the business journals like coke classic and the like. Sony will wait 6 months and when sales are down come out with DRM free classic CDs.

Re:The day the music died (err was killed by Sony)

[bhtooefr]

We've banned copy protected music CDs...

It has been reported that music CDs released by Sony BMG contain a so-called rootkit, a tool that is normally meant to hide a backdoor, a tool used by hackers so that they can break in at a later time. Some viruses contain a rootkit so that they can hide themselves.

This particular rootkit is used to hide the Digital Rights Management software used by Sony BMG to prevent illegal copying of their CDs. However, several security experts have found that viruses and backdoors can easily be hidden using this rootkit. This rootkit also has been known to cause systems to crash. In addition, attempting to remove the rootkit by deleting the files will cause your CD drive to be disabled.

Due to this finding, we must ask that you not play any copy protected music CDs in any ***** ******* computer at this time. If you are not sure whether a CD is copy protected, do not play it. In addition, we recommend not playing copy protected music CDs, especially those released by Sony BMG, in your personal computers.

If you would like to find out whether your system has been infected by this particular rootkit, please follow these directions:

1. Create a new folder somewhere on your hard drive, naming it test (without the quotes).
2. Make sure that the folder is there, and then rename it to $sys$test (again, without the quotes).
3. If the folder disappears, you have the rootkit. A removal tool is available at: http://securityresponse.symantec.com/avcenter/FixR yknos.exe [symantec.com]

Again, thank you for assisting our efforts in preventing the spread of this rootkit.

Re:First4Internet could be in BIG trouble.

[Maestro4k]

I question the methodology. As far as I can tell, he's reporting which DNS servers have resolved queries for First4Internet. And he's doing it after the scandal has been all over the online news sites, all over the blogosphere and links to First4Internet's sites posted in a couple of dozen +5 comments on /.

I'd be surprised if there was a DNS server left on earth that hadn't recently handled a query for First4Internet by now.

I think the methodology is sounder than you think, the info on his page seems to indicate he didn't go by resolutions for just any F4I addresses but for addresses the rootkit used, particularly he mentions updates.xcp-aurora.com, something curious/outraged people aren't likely to try resolving for the hell of it.

In any case it's worth investigating, notice that not all of Europe is covered in red, although I'm sure the scandal has been reported there as well. There's a good possibility here that Sony has sold the CDs in the UK, and frankly it should be investigated because Sony deserves to be nailed with every law they violated for this little stunt.

Besides, has Sony ever released a list of all affected CDs yet?

Re:pissing contest.

[KinkoBlast]

Does that meen Best Buy and Wal*Mart (and local music stores, not that I even know where those are) are (L)GPL violators too? They distributed the CDs...

Re:Stranger and stranger

[Generic Guy]

ie, immediate action was action.

Except after the initial exposure of this rootkit in their products, Sony bigwigs were on NPR radio broadcast saying essentially (paraphrased) "What they don't know won't hurt them". I'd certainly content that constitutes delayed action, and possibly collusion. Plus the factoids coming out that this rootkit may have possibly been distributed by Sony for over a year now.

Regardless of who wrote it, Sony is still the one who deliberately distributed millions of CDs containing this malware. They should have done due diligence on their own product before shipping. They've supposedly stopped making CDs with XPC, but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again. Instead, they've done practically nothing (except some basic CYA by halting further production) and practically promised that they'll be trying this again in some form in the future. Hardly sounds like an 'innocent' party.

Sony certainly deserves to get their collective ass handed to them. Its just a shame it will have to happen through lawsuits and consumer boycotts, as you'd think they would learn not to abuse their own paying customers. I guess not.

P.S. Screw you Sony, your products, warranties, and service have been crap for years, but now I will actively avoid anything to do with you.

Re:Wow. Just WOW.

[iainl]

I thought that was roughly the case, thanks for confirming it. Sorry about saying it was just Jon's and forgetting about the rest of the team, too.

So, quite apart from the fact they've stolen your code, the question now is:

Why does Sony's DRM include code to break Apple's DRM? Are they just scanning for evidence that your code is running, staticly built the library because they were stealing some other aspect of your program, or do they actually want to decrypt Apple files?

This story just gets stranger.

DVD Jon works for Robertson

[One Louder]

DVD Jon now works for Michael Robertson, a multimillionaire with a pretty big grudge against the music publishers.

Robertson might be interested in bankrolling Jon in any litigation against Sony.

Re:The day the music died (err was killed by Sony)

[imadork]

The RIAA has never liked the fact that audio CD's could be used in PC's, because PC's are used to convert the audio CD tracks to MP3. This whole Rootkit thing was a way to make it harder for people to use their CD's on a PC, while not affecting their use in CD players, which is where God (working through the RIAA) intended for them to be played in the first place.

Don't you think they're celebrating now that using audio CD's in PC's is a security risk? I'm suprised they haven't done this sooner. Pretty soon, we'll be asking for Trusted Computing because because it will protect us from oursel^h^h^h^h^h^h the security risks inherent in unsafe CD playing....

Re:Sony's apology

[xnderxnder]

For a good giggle, check out F4I's press release from July:
Welsh DRM technology is a hit in the US [xcp-aurora.com]

"Ultimately this kind of retro-fitted digital rights management (DRM) can only place speed bumps in the way of determined audio pirates ..."

Um, yeah, the determined audio pirates that leave AutoRun turned on on their CD-ROM drives.

Oy.

Re:Very Dangerous Reasoning

[vinniedkator]

IANAL, but: I've often had to have vendors go through a code review when implementing custom applications in our network. You would think that Sony would require the same thing when putting software like this on millions of CDs. If they did have a policy they should be liable. If they didn't then they are morons for accepting software at face value that goes on their most important product.

Re:Stranger and stranger

[mrsev]

IANAL but ....

I do not think it matters who wrote the code in the first place. Sony sells the code and so has the responsibility...simple as that. In the same way that if i buy a PS3 and the disc drive is broken SONY cant tell me to take it up with Toshiba or whoever makes the drive. They sold it and they must deal with the consequences. They themselves are free to take it up with their supplier but this up to them.

Imagine you buy a car and the brakes fail the maunfacturer cant avoid liability by saying that it is the fault of the guy who refined the steel and that i should take it up with him.

If it was the case that guilt could be passed down the line then all drug dealers would go free by saying it wasnt my fault you should prosecute the Afgan farmer who planted the poppies, I am merely "passing" it along.

It does not matter who is at FAULT it matters who is RESPONSIBLE.

     

Re:A share of profits?

[someone1234]

No, if it would truly contain gpl code, they didn't acknowledge the license. Thus they infringed copyright. Nothing 'more'.

Actually, i'm unsure why they had this new code in. some possibilities:
1. support playing of apple drm'd music (invalid because they surely use his whole code which constitutes copyright infringement)
2. scan for DVD Jon's code and block its usage (valid - fair use, they use only signatures)

Re:Very Dangerous Reasoning

[Krach42]

The problem is that you *are* responsible for copyright infringement on code that you receive. It's the same thing as with stolen goods.

To draw a more potent example (because it's known that the code in this case is active, and not possibly "just a fingerprint"), it is entirely plausible that Geico would be liable for the programs they received from MXS. And they're just a customer using the stoftware! They're not even involved in the development. Another example is that every linux user would potentially be liable if Linux were to be found to contain code that SCO owns the copyright for. (Thus, the reason for indemnification, etc)

Basically, the issue here would be that Sony did not take due dilligence to ensure that the code provided to them were unencumbered. And you better believe that F4I will attempt to show that they *did* notify Sony of any encumberances, at which point Sony would be screwed, and F4I would be fine, because they complied with the (L)GPL, and Sony failed to redistribute properly.

Ignorance has never been an excuse of receiving stolen goods, or receiving infringing copyrighted material.

In this case, Sony would be working much like a fence. They would take the directly stolen code (and thus not at fault for the actual theft) and then they would peddle it out (accessory, plus some more extra stuff, like selling stolen goods.) So if anything, Sony is at least equally guilty of any infringement that F4I did on their behalf. ... IANAL, but this is what the law says.

Re:Stranger and stranger

[AgentGibbled]

"but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again."

Actually, it appears that they *do* plan to offer replacement discs [sonybmg.com]. I tried to post this to the main page (a fairly significant development, IMHO), but alas it was rejected. In other news, Mark Russinovich is declaring victory [sysinternals.com] as a result.

I'm not saying that makes everything okay... I'm just saying that they're not being *total* jerks about this (just *partial* jerks). I expect we'll see more of a response out of Sony once that large bureaucratic ball eventually does get rolling. In an organization the size of Sony, I'd bet it has quite a lot of intertia.

And no, I won't be buying any more Sony CDs... or probably anything else - just on principle.

Re:Is the DVD Jon code executed?

[logicnazi]

If you had looked at my post hard enough you would have seen I said the LAME code was never used as *data*, i.e., over code never reads the area of memory the LAME code resides at. I said nothing about it not being executed.

Anyway I made no claim that Sony would be okay with you acting as described. Luckily Sony is not the court. Of course the courts aren't stupid so they aren't going to believe that your huge library of music is really being used and necessery for recognizing songs you come across. If you kept the music in some non-playable (without difficult extraction) form (maybe pre-processed to match against snippets) the situation might be different.

The question is not about the non-execution. I tend to agree this is not itself legally relevant. The question is whether using someone else's copyrighted work for the soul purpose of recognizing that work when it appears counts as fair use. The fact that it is not executed is only relevant insofar as it supports the idea that it is being only used to regonize the work.

Frankly I don't know, though I think there have been some cases about it. If you had some legal grounds for your conclusion I would love to hear them but it isn't the sort of thing one can just intuit without knowing anything about it.

Re:PS3 vs. XBOX360

[nzkbuk]

M$ was more public about what their rootkit does. They tell you it phones home etc.

Sony installs theirs without telling you and then if you try to uninstall it, it roots you even worse