Forgot your password?
typodupeerror
Media Privacy

DVD Jon's Code In Sony Rootkit? 585

Posted by Zonk
from the when-will-it-end dept.
An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."
This discussion has been archived. No new comments can be posted.

DVD Jon's Code In Sony Rootkit?

Comments Filter:
  • by VincenzoRomano (881055) on Thursday November 17, 2005 @09:52AM (#14051572) Homepage Journal
    The Revenge of the Sick (with copy protections)!
  • hmm (Score:5, Funny)

    by Tibor the Hun (143056) on Thursday November 17, 2005 @09:52AM (#14051573)
    looks like they owe the kid some royalties...
    • by sgant (178166) on Thursday November 17, 2005 @10:00AM (#14051642) Homepage Journal
      This story get's weirder by the minute.

      Though it wouldn't happen in a million years, I'd like to think this will bring Sony to it's knees. It won't, but someone can dream.

      Not that I had anything against Sony in the first place, but since this crap they threw out there and expected everyone to just "take it", they need to be slapped and slapped often.

      They haven't even apologized yet. At least I haven't seen it. Though just saying "sorry" doesn't cut it anymore as thousands of computers are now vulnerable in the world due to their greed.
      • by BushCheney08 (917605) on Thursday November 17, 2005 @10:04AM (#14051672)
        Bear in mind that Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet [xcp-aurora.com]. While we all should (rightfully) be pissed at Sony for including this on a bunch of their CDs, we should be equally as pissed (or moreso) at First 4 Internet for their (L)GPL violations and for making this product in the first place.
        • by A beautiful mind (821714) on Thursday November 17, 2005 @10:12AM (#14051736)
          Isn't Sony the distributor, thus the violator of (L)GPL ?
          • by BushCheney08 (917605) on Thursday November 17, 2005 @10:22AM (#14051832)
            IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code). Not to mention, they pulled the CDs from the shelves already, which they could say coincided with the revelation of copyright violations on the discs -- ie, immediate action was action. I'm not trying to defend them or their practices at all, I'm merely looking at it from a "who can be held accountable" point of view.
            • by JustOK (667959) on Thursday November 17, 2005 @10:40AM (#14051990) Journal
              It was Bush, wasn't it? I mean, he lied about the Windows Media Discs, didn't he? Or something?
            • by bri2000 (931484) on Thursday November 17, 2005 @11:03AM (#14052208)
              That sort of defence might work for, say, a magazine cover disc that inadvertantly included a virus but not here. The inclusion of this software will have been a big thing for Sony. They will have paid to license the code from F4I and deliberately included it in their products. For them to say they didn't know what it did or that it didn't work as believed it did is no more of a defence than it would be for a car manufacturer to claim it isn't liable for it's vehicles catching fire because this is caused by a faulty fuel pump made by somebody else. Sony may be entitled to an indemnity from F4I (although when a company has shown themselves to be this incompetent I wouldn't be at all surprised if Sony forgot to demand this...) but that's a different matter (and probably worthless given the size of the mess). Where damage has been done it's been caused by a Sony product. Therefore Sony are liable. The fact they don't seem to have bothered with any sort of due dilligence on the software they were licensing which caused the damage is no defence.
            • by isn't my name (514234) <slash.threenorth@com> on Thursday November 17, 2005 @11:12AM (#14052305)
              IANAL (nor do I ever want to be), but my guess would be that F4I would count as the initial distributor and Sony would be able to claim ignorance to get out of it (which is true -- I highly doubt they had access to the source code).

              You know, I think that this does make sense. However, this is a very dangerous line of reasoning. If you let Sony get off with no consequences for distributing stolen code, then you will never be able to prosecute any big corporatio for code copyright violations.

              All a mega-corp need do is find a small, arms-length firm to launder the stolen code. Let that small firm actually steal it and then hand it on a silver platter to the mega-corp. If the mega-corp is caught, the small firm takes the hit and disappears in a puff of bankrupcy. Then mega-corp goes on to the next small firm.

              If Sony truly didn't know about this, then they probably should not be liable for any statutory damages. However, they did distribute the code--which is technically a violation. Sony should be the one accountable for that violation and Sony should be able to sue First4Internet--unless of course First4Internet's license with Sony includes the standard indemnification clause like we see in most EULA's. In that case, Sony will be hoisted by their own petard--and it couldn't happen to a nicer group of people.
              • by lpevey (115393) on Thursday November 17, 2005 @12:01PM (#14052884)
                Product liability law is a bit different from standard negligence law. If liability can be attached, the law specifically allows claimants to recover damages from any part of the supply chain, not just the manufacturer or original supplier. I.e., even Best Buy could be held liable. This common law feature is called strict liability of torts, I think, and probably evolved to prevent passing of the buck.
              • by vinniedkator (659693) on Thursday November 17, 2005 @01:50PM (#14054135)
                IANAL, but: I've often had to have vendors go through a code review when implementing custom applications in our network. You would think that Sony would require the same thing when putting software like this on millions of CDs. If they did have a policy they should be liable. If they didn't then they are morons for accepting software at face value that goes on their most important product.
              • The problem is that you *are* responsible for copyright infringement on code that you receive. It's the same thing as with stolen goods.

                To draw a more potent example (because it's known that the code in this case is active, and not possibly "just a fingerprint"), it is entirely plausible that Geico would be liable for the programs they received from MXS. And they're just a customer using the stoftware! They're not even involved in the development. Another example is that every linux user would potentia
            • by Generic Guy (678542) on Thursday November 17, 2005 @11:30AM (#14052516)
              ie, immediate action was action.

              Except after the initial exposure of this rootkit in their products, Sony bigwigs were on NPR radio broadcast saying essentially (paraphrased) "What they don't know won't hurt them". I'd certainly content that constitutes delayed action, and possibly collusion. Plus the factoids coming out that this rootkit may have possibly been distributed by Sony for over a year now.

              Regardless of who wrote it, Sony is still the one who deliberately distributed millions of CDs containing this malware. They should have done due diligence on their own product before shipping. They've supposedly stopped making CDs with XPC, but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again. Instead, they've done practically nothing (except some basic CYA by halting further production) and practically promised that they'll be trying this again in some form in the future. Hardly sounds like an 'innocent' party.

              Sony certainly deserves to get their collective ass handed to them. Its just a shame it will have to happen through lawsuits and consumer boycotts, as you'd think they would learn not to abuse their own paying customers. I guess not.



              P.S. Screw you Sony, your products, warranties, and service have been crap for years, but now I will actively avoid anything to do with you.

              • by AgentGibbled (688180) on Thursday November 17, 2005 @03:35PM (#14055339)

                "but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again."

                Actually, it appears that they *do* plan to offer replacement discs [sonybmg.com]. I tried to post this to the main page (a fairly significant development, IMHO), but alas it was rejected. In other news, Mark Russinovich is declaring victory [sysinternals.com] as a result.

                I'm not saying that makes everything okay... I'm just saying that they're not being *total* jerks about this (just *partial* jerks). I expect we'll see more of a response out of Sony once that large bureaucratic ball eventually does get rolling. In an organization the size of Sony, I'd bet it has quite a lot of intertia.

                And no, I won't be buying any more Sony CDs... or probably anything else - just on principle.

            • by Sique (173459) on Thursday November 17, 2005 @11:45AM (#14052696) Homepage
              According to both LGPL and GPL the one you get the software from is the distributor. He is the one responsible for adhering to the licenses. He can of course sue his own software provider later, but for now it's Sony that distributed the programs.

              If Sony is providing the source code for the programs and restates that the software is unter GPL (thus giving you the right to modify and distribute your modification), then everything is fine between Sony and you though.

              There have been several similar cases in Europe about this, and in every case the GPL has been found valid, and the violation of the license has been considered healed, if the final distributor was able to get hold of the source code and distribute this one too under GPL.

              Check GPL v2.0 section 4:
              4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

              For Sony this means: They lost the right to distribute the Program, and they will be in violation of the GPL until they start to comply with the GPL themselves (e.g. distributing the source and allowing modifications and redistribution under GPL).
        • by meringuoid (568297) on Thursday November 17, 2005 @10:13AM (#14051737)
          The Computer Misuse Act, 1990 [opsi.gov.uk]

          3.(1) A person is guilty of an offence if
          (a) he does any act which causes an unauthorised modification of the contents of any computer; and
          (b) at the time when he does the act he has the requisite intent and the requisite knowledge.
          (2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing
          (a) to impair the operation of any computer;
          (b) to prevent or hinder access to any program or data held in any computer; or
          (c) to impair the operation of any such program or the reliability of any such data.

          I think First4Internet's little toy is designed to prevent or hinder access to programs and data held in a computer, don't you? And I really doubt that their click-through EULA constitutes authorisation to do so; it was fraudulently claimed that the Software was necessary to play the music, which was a plain lie as is shown by every Linux and Apple machine that plays it just fine without the rootkit installed.

          I might add that even though these discs are not available in the UK, the Computer Misuse Act still holds [opsi.gov.uk].

          Anyone know if we could possibly get Inspector Knacker to take a look at these felonious fellows?

          • by Thud457 (234763) on Thursday November 17, 2005 @10:48AM (#14052059) Homepage Journal
            Sony CDs banned in the workplace [boingboing.net]

            I've been chasing down several accounts of government agencies, companies, educational institutions and others banning the use of Sony CDs on their PCs, due to the security risks of having Sony's rootkit DRM infecting their PCs. One government ministry, Alberta Agriculture, has banned the use of music CDs altogether, since Sony is hardly the only music company crippling its CDs with sneaky, malicious software. Here are a couple examples:

            It has been brought to our attention that there is significant risk to the security and the operation of UC computers in using Sony BMG produced CDs. For this reason, the use of Sony BMG produced CDs in University of Canberra computers is prohibited.

            Here I thought this would only happen for "secure" workplaces. Sorta makes you feel sorry for SCO, they can't get anyone to even look at the crazy they're selling when Sony's got such a superior line of insane self-destructiveness.

            • We've banned copy protected music CDs...

              It has been reported that music CDs released by Sony BMG contain a so-called rootkit, a tool that is normally meant to hide a backdoor, a tool used by hackers so that they can break in at a later time. Some viruses contain a rootkit so that they can hide themselves.

              This particular rootkit is used to hide the Digital Rights Management software used by Sony BMG to prevent illegal copying of their CDs. However, several security experts have found that viruses and backdoo

            • The RIAA has never liked the fact that audio CD's could be used in PC's, because PC's are used to convert the audio CD tracks to MP3. This whole Rootkit thing was a way to make it harder for people to use their CD's on a PC, while not affecting their use in CD players, which is where God (working through the RIAA) intended for them to be played in the first place.

              Don't you think they're celebrating now that using audio CD's in PC's is a security risk? I'm suprised they haven't done this sooner. Pretty soo

        • by replicant108 (690832) on Thursday November 17, 2005 @10:14AM (#14051747) Journal
          Sony will never say that they're responsible for it. After all, they merely licensed the copy protection scheme from First 4 Internet.

          Actually, Sony were responsible for distributing the software.

          That's why they're in trouble.

        • pissing contest. (Score:3, Insightful)

          by leuk_he (194174)
          You buy a cd from sony (or an artist...), not from some spyware compagny. And if f4internet blaimes 1 roque employee, will you accept that as a defense?

          No this is far beyond a "vote with your wallet" story. sony BMG broke some laws they though were important for their business model, and now they should bleed for it.
        • by cgenman (325138) on Thursday November 17, 2005 @11:11AM (#14052302) Homepage
          Sony paid someone for a root kit to be secretly installed on people's machines. A root kit. You know, like paying a criminal to bug someone's phone. Sony damn well should have gone over that thing with a fine toothed comb, as it would have been trivial for First4Internet to get credit card numbers, access to bank accounts, corporate secrets, and anything else it wanted. Or, say, accidentally give access to that stuff to everyone in the world.

          All parties involved in an illegal activity are responsible for that activity. Sony is no different.

        • by mrsev (664367)
          IANAL but ....

          I do not think it matters who wrote the code in the first place. Sony sells the code and so has the responsibility...simple as that. In the same way that if i buy a PS3 and the disc drive is broken SONY cant tell me to take it up with Toshiba or whoever makes the drive. They sold it and they must deal with the consequences. They themselves are free to take it up with their supplier but this up to them.

          Imagine you buy a car and the brakes fail the maunfacturer cant avoid liability by saying tha
      • by harrkev (623093) <kfmsd.harrelsonfamily@org> on Thursday November 17, 2005 @10:15AM (#14051763) Homepage
        I am not sure that I would come down too hard on Sony for this...

        The GPL violations lie firmly on the shoulders of F4I. If Sony did not disassemble the code or inspect the source, they had no way of knowing.

        We certainly CAN blame Sony for throwing crap DRM at us in the first place, and we can criticize their PR response to this whole mess. But we cannot blame them for GPL stuff.

        And as far as the uninstall fiasco goes, Sony did not write the software, so I am sure that they do not know how to remove it. They have to rely on F4I to supply the uninstall software. But, once again, it IS their fault that they did not pull the uninstall program earlier once the security holes had been found. But Sony is a corporation, with probably 1,000 layers of management, so even that is understandable.
        • by Urusai (865560)
          Walmart didn't hire those illegals, they just hired a company that employed illegals and made them live in the back of Walmart.

          Bush didn't lie to the world, the CIA just enhanced a couple of reports with speculatively extrapolated contingency scenarios.

          Satan isn't responsible for the fall of Man, Eve was the one who gave Adam the fruit.

          Sony...naw, Sony is as pure as a freshly powdered baby's bottom.
  • by RandoX (828285) on Thursday November 17, 2005 @09:52AM (#14051577)
    That's what I get for actually trying to RTFA, I guess.
  • by 8127972 (73495) on Thursday November 17, 2005 @09:53AM (#14051588)
    .... still have feet after shooting themselves in the foot so often.
  • A share of profits? (Score:5, Interesting)

    by RobinH (124750) on Thursday November 17, 2005 @09:54AM (#14051593) Homepage
    This is GPL'd code, not LGPL'd, right?

    Anyway, DVD John can actually sue Sony for all *revenue* that Sony made from the sale of the CDs, if I'm not mistaken (not just profits). That would grab them where it hurts!
    • by RobinH (124750) on Thursday November 17, 2005 @10:04AM (#14051669) Homepage
      Actually I might be thinking patent infringement there. Seems like in a copyright case they could sue for statutory or actual damages if the material has been registered with the copyright office. The statutory damages might be $750 to $30,000 per infringement, but a judge can go above or below those numbers. Actual damages requires you to prove loss of income, which would be difficult in this case, since the code is distributed freely (in the sense of beer).
    • So now all Jon needs is someone with power to help with the lawsuit. Someone like Micheal Robertson [michaelrobertson.com]. ;) Hey, he's in luck!
    • by Alchemar (720449) on Thursday November 17, 2005 @10:13AM (#14051739)
      If it is GPL code then wouldn't it make the EULA unenforcable under the cannot add other restrictions clause?
      • Forget the GPL; does the rootkit actually *use* this code? If so, then I think Aple has a pretty clear DMCA case against Sony, since they certainly didn't license FairPlay DRM for Sony to use. And Apple is much more likely than DVD Jon to have both the inclination *and* the means to start a big legal fight about it. Sony breaking Apple's DRM with their rootkit designed to protect their own DRM would be irony too delicious for words.
  • Who guessed it? (Score:5, Interesting)

    by OxygenPenguin (785248) <mrunyon@gmail.com> on Thursday November 17, 2005 @09:54AM (#14051594) Homepage
    I said right off the bat, that the Sony DRM package would be full of other's code. Seems to me that Sony hired some blackhats to get the job done for them. Violating the GPL is definitely the least of their worries, but just another strike against what is becoming an increasingly corrupt music giant.
    • Re:Who guessed it? (Score:3, Insightful)

      by RingDev (879105)
      "Seems to me that Sony hired some blackhats to get the job done for them."

      Err, no. Sony licensed a product that was developed by a bunch of ass hats. Sony, while incompetent, could sue the party they licensed the software from for many of their wohs.

      -Rick
  • by meringuoid (568297) on Thursday November 17, 2005 @09:57AM (#14051620)
    They've simultaneously violated DVD Jon's copyright on his code, and (in distributing it in the USA) violated the DMCA to boot!

    Sony ought to be in some severely deep shit here. Of course they're a corporation, so they're mostly above the law, but we should still be able to get something to stick.

    • Sony will get a slap on the finger, if even that much. CD's aren't the only thing they sell, and really, for most people the whole rootkit thing doesn't matter. Heck, you still have to be pretty tech savvy to understand what the whole thing is about. I doubt this whole thing is on the top of Sony's list of issues...at least not for the company as a whole.
    • by Albanach (527650) on Thursday November 17, 2005 @10:17AM (#14051785) Homepage
      Actually if the software came from first4internet and first4internet are based in the UK then this could be interesting.

      Under UK law copyright infringement is a criminal offence - in other words, report it to the police and they are obliged to investigate.

      So if the copyright holder were to let the police know of their concerns and supply some evidence, the company that authored the software could have an interesting visit.

  • by Gnascher (645346) on Thursday November 17, 2005 @09:57AM (#14051628)
    Rember, Sony purchased the rootkit from first4internet. They wrote the software that is abusing the GPL.

    Most folks don't review the sourcecode of software they purchase to determine if its license-tree is clean.

    Sony definitely made a truly dumb move by utilizing this DRM software (and several other dumb moves subsequently), but lets not let First4Internet off the hook either.

  • Wow. Just WOW. (Score:5, Insightful)

    by iainl (136759) on Thursday November 17, 2005 @10:01AM (#14051648)
    From the Sony binary file:

    "pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq."

    ROT 13 it, and you get

    "copyright (c) Apple Computer, Inc. All Rights Reserved."

    You couldn't make it up, could you?
    • Seriously?

      I don't have a copy of the rootkit myself, but... wow. Just wow. First4Internet covered up their naughtiness with rot13?

      That's incompetence not seen since the heyday of Wile E. Coyote.

    • Re:Wow. Just WOW. (Score:5, Informative)

      by Sam H (3979) <sam@zoy.org> on Thursday November 17, 2005 @10:34AM (#14051937) Homepage
      I have to make sure everyone understands why this string is here. To be fair with Sony (or whoever they mandated), it is not an attempt from them to hide the code theft. Rather, it is an attempt by Apple to prevent not only code theft but also clean-room reimplementations.

      Apple's encryption scheme includes the generation of a key. The important parts of this key come from the machine's unique hardware information. But to prevent (at least that's my only plausible explanation for it) people from reimplementing the scheme by using the same information, they also add this copyright string to the key generation. Reimplementing their protocol means the string has to be used.

      We just store it ROT13'ed in VLC because it would be confusing to have an Apple copyright in our code. Although technically the string itself is created by Apple, it is too short to qualify for copyright.
      • Re:Wow. Just WOW. (Score:4, Interesting)

        by iainl (136759) on Thursday November 17, 2005 @11:53AM (#14052780)
        I thought that was roughly the case, thanks for confirming it. Sorry about saying it was just Jon's and forgetting about the rest of the team, too.

        So, quite apart from the fact they've stolen your code, the question now is:

        Why does Sony's DRM include code to break Apple's DRM? Are they just scanning for evidence that your code is running, staticly built the library because they were stealing some other aspect of your program, or do they actually want to decrypt Apple files?

        This story just gets stranger.
        • Re:Wow. Just WOW. (Score:5, Insightful)

          by Sam H (3979) <sam@zoy.org> on Thursday November 17, 2005 @01:32PM (#14053945) Homepage
          Why does Sony's DRM include code to break Apple's DRM? Are they just scanning for evidence that your code is running, staticly built the library because they were stealing some other aspect of your program, or do they actually want to decrypt Apple files?


          It is likely that they are not using VLC's code but some other, smaller application that just happens to use our code (and which may or may not respect the GPL itself -- there may be unknown intermediaries in the story). The drms.c file is part of VLC's MPEG-4 / QuickTime demuxer, so it could be a music player or a media tagging utility, for instance.
      • by bluGill (862)

        Even if the string was copyrightable, your use is purely functional, and thus not subject to copyright laws in this case.

        See Sega Vs Accolade [harvard.edu]

  • Contest (Score:5, Funny)

    by saskboy (600063) on Thursday November 17, 2005 @10:05AM (#14051678) Homepage Journal
    I think the EFF should dream up a contest, and the most crazily ironic story involving DRM, copyright, and the law would win a prize.

    Oh, too late! Sony already wrote the best story, and it's actually happening before our eyes! Truth is stranger than fiction. And Sony wins many massive lawsuits. Err, I mean they lose them, the prize is they get sued.
  • by Snamh Da Ean (916391) on Thursday November 17, 2005 @10:10AM (#14051710)
    DVD Jon's Code In Sony Rootkit? "The ironing is delicious".
  • Good news! (Score:3, Funny)

    by Sam H (3979) <sam@zoy.org> on Thursday November 17, 2005 @10:14AM (#14051752) Homepage
    Not that I could not before, but I can now copy and download all the Sony CDs I want without fearing a lawsuit. They apparently don't care about intellectual property.
  • by 91degrees (207121) on Thursday November 17, 2005 @10:17AM (#14051782) Journal
    It could just be using extracts to identify the software. I mean, why would they want LAME and DeCSS on their CDs? They have no use. We don't need an MP3 encoder because any compressed copies will be already encoded in a DRM format. They really don't need to decode iTunes songs.

    If these are small segments, used for identifying and diabling the software, then the copyright defence could be fair use. And there's no way I'll say that copyright shoudl prevent this.
    • by muzzy (164903) on Thursday November 17, 2005 @01:57PM (#14054204) Homepage Journal
      It indeed doesn't make much sense to include all these things there. Most likely, they just stole some bigger piece of code and got all the little features as an extra bonus. That'd be the most simple explanation, anyway, and it'd make sense too.

      These pieces are definitely not for identifying or disabling software, they're linked into the executables just like all other libraries normally are. There are execution paths throughout the thing. I was just able to find an execution path from a function that has a string "CDXCP3" to the DeDRMS code. I'd say this first one is XCP specific, although it'd take more research to find out how exactly the code uses this stuff.

      Reverse engineering takes times, especially since I don't have access to latest and greatest commercial tools that exist for tasks like this. The only reason this stuff is staying unanalyzed is because the protection is used on a CDs that very few computer experts would ever buy. Or at least I wouldn't :)
  • by logicnazi (169418) <logicnazi AT gmail DOT com> on Thursday November 17, 2005 @10:19AM (#14051804) Homepage
    So I looked through the links and while one of the discoverers made it quite clear that the LAME code is not being used as data (never refereced). However, it was unclear to me if that was true for the DVD Jon code.

    I mean the DVD john code seems like exactly the sort of thing one might want to search for on someone's computer to stop pirating. If indeed it is used only to identify the code it may be covered under fair use. It's an interesting legal question that I vaguely remember came up in virus/worm/spyware cases. Namely can a malware writter use some kind of simple code modification method to foul up simple hashes and then insist his copyright prevents anti-virus manufacturers from including large enough parts of the malware code to accurately detect it.

    It might not be pleasent but if it's fair for the good guys to use code under fair use for detection then the bad guys get to do it as well.

    Which reminds me I don't even remember the legal status of this DVD Jon code in the US. Is it illegal under the DMCA? Does this deny it copyright protection or a different measure.
    • by muzzy (164903) on Thursday November 17, 2005 @02:02PM (#14054271) Homepage Journal
      I can confirm that there exists an execution path between XCP code and DeDRMS. However, navigating executables isn't like using road maps, so I have no idea under which conditions this execution path activates. It exists, however, which means the code really uses it directly or indirectly. Now it's up to the data flow to determine when it gets triggered, and analyzing that will take longer...
  • by Stormwatch (703920) <rodrigogirao@hot[ ]l.com ['mai' in gap]> on Thursday November 17, 2005 @10:21AM (#14051824) Homepage
    This is like watching a comedy movie, except I didn't have to pay for a ticket!

    (wait, does it mean MPAA will come after me?)
  • Sony's apology (Score:5, Informative)

    by RandoX (828285) on Thursday November 17, 2005 @10:22AM (#14051826)
    Get it here. [sonybmg.com]
  • by Anonymous Coward on Thursday November 17, 2005 @10:22AM (#14051827)
    press releases here stating [xcp-aurora.com]:
    * First4internet loses Sony BGM as customer
    * First4internet cancels XCP development
    * Due to First4Internet's huge liability claims, First4Internet closes its doors
    ...
    * First4Internet bought by Microsoft
    ...
    * Profit ?
  • by mustafap (452510) on Thursday November 17, 2005 @10:23AM (#14051837) Homepage

    I assume that some grey, suited MBA type didn't put this code in. A geek did. Following on from that, they are almost certainly slashdot readers....

    Does anyone have something they would like to tell us? ;o)
    • I assume that some grey, suited MBA type didn't put this code in. A geek did.

      The grey suited MBA paid for it to be done and the geek did what he was paid to do. And obviously Sony BMG marketing would have to approve as it is a change in their product. Legal would have been involved to license the code. Upper management would either have to put their heads in the sand or approve it.

      I don't know what world your from but geeks don't have a rats ass of influence with senior management. If a brain dead CS

  • by AnriL (657435) on Thursday November 17, 2005 @10:24AM (#14051849)
    ... one must first understand recursion.

    Sony uses rootkit to enforce DRM which incorporates code to circumflect DRM and thus can sue itself under the DMCA. C'mon! If this gets any more convoluted or self-referential, either the universe will explode (and be replaced with something even more complicated) or Sony will disappear in a puff of logic.
  • by acidblood (247709) <decio AT decpp DOT net> on Thursday November 17, 2005 @10:28AM (#14051879) Homepage
    When some cheapskate downloads copyrighted MP3s from a P2P network, it's `copyright infringement', but when Sony uses GPL'd code it's `stealing', right?
    • by donscarletti (569232) on Thursday November 17, 2005 @12:10PM (#14053003)
      When some cheapskate downloads copyrighted MP3s from a P2P network, it's `copyright infringement', but when Sony uses GPL'd code it's `stealing', right?

      There are many types of copyright violations with very different types of severity:

      The first type is when someone goes out and downloads a song, lets say "...And Justice for All" by Metalica they have simply avoided paying for it by getting it through illegal means. This does not equate to any directly measurable loss of revenue because when the effective price of something is lowered, people are more likely to get it. Thus it is not only likely that someone would not have bought the CD if the pirate mp3s were not available, but it is actually more likely than not. This is of cause not a wholly moral practice, but it is cirtainly not as bad as many other evils that exist in society today. These are the infractions that occur on Kazaa and the ilk.

      The second type of infraction is where one duplicates the media on which intellectual property is contained and sells it themselves at an actual monitary price. This is very different since there is a very obvious minimum bounds of loss of revinue caused by this which is of cause the markup on the pirated media. Motivation also changes in this type since there is a very clear misdirection in the chain of money where the pirate gets a clear financial benifit wheras they recieve none in the first set. This type of violation is criminal in most juristictions whereas the first type is wholly civil.

      The third and most severe case is where intellectual property is rebranded and its credit is misappropriated to another party. This historically has been a result of industrial espionage but today, open source software is very vulnarable to it. This is equivalant to the Kazaa casual pirate claiming that they wrote "...And Justice for All". It means that not only does the pirate get the profit for the sale of the intellectual property instead of the legal creator, but those who are convinced to use this thing in future by seeing the rebranded thing will never go to the real author to get a copy for themselves. In either of the previous two types there is a likelyhood that the author will eventually get money or whatever they are looking for (usually an ego boost in the case of OSS) but in the third type this is not the cause. This is a far more thorough missapropriation of this IP and thus the term "stealing" is far more appropriate.

      The reason that these three types are so neatly ranked is that as you can see, each one is a subset of the type before. Not everyone gets annoyed by violations every layer since OSS doesn't mind first or second type occuring but hates the third kind. SUN doesn't mind the first type occuring but hates the second and third with Java. Public domain doesn't mind any of the three. But no one will let one layer slide that is above something that annoys them.

      This case with sony is clearly not a third type violation (which I would call stealing) but is a second type (which I would call piracy) since Sony did not claim to write this software or even advertise its existence. The GPL says you can do second type scenarios on the condition that you distribute the source code. Sony redistributed this IP for money but did not distribute the source code AFAIK so they voilated the rules on this level. This puts them on par with sleezy bootleg vendors on street courners and ebay pirate CD vendors but significantly worse than some kid downloading Nelly mp3s off Kazaa and significantly better than the jerks behind CherryOS.

      So there you have it, why downloading some dumb pop song off the internet isn't as bad as taking credit for someone elses hard work and making millions of dollars off it and why sony are half way in between on this one.

  • by Slashdoc Beta (925619) on Thursday November 17, 2005 @10:29AM (#14051886) Homepage
    SCO Unix source code found in Sony Rootkit. I wish.
  • Dear Santa, (Score:4, Funny)

    by ds_job (896062) on Thursday November 17, 2005 @10:33AM (#14051931)
    I have been good for most of this year and I am willing to give up any claim I might have on a scalextric or video game if you could only make this /. story be true.
    Yours,
    Dave Smith
    (Aged 34)

    Right you lot. I've done my part now it is down to you to ask for enough money to prosecute this imbeciles so that they don't do anything quite so stupid again.
  • by icecow (764255) on Thursday November 17, 2005 @10:35AM (#14051946)
    My god, at this rate SCO code will be found next
  • Sony VAIOs (Score:4, Interesting)

    by Anonymous Writer (746272) on Thursday November 17, 2005 @10:37AM (#14051962)
    Does anybody know if Sony pre-installs this rootkit in the computers they sell? I thought their laptops were good products, and normally would be among my choices if I were to get a new one (slight possibility I may want to get a Windows laptop), but this whole rootkit thing changes that. If they so blatantly forced it onto people's computers through music CDs, even trying to on Macs, then I don't imagine they would have any qualms about forcing it onto their computer buyers as well.
  • Mainstream spin (Score:4, Informative)

    by resprung (410576) on Thursday November 17, 2005 @10:53AM (#14052092) Homepage
    Didya notice... the spin that - possibly - Sony has managed to put on the story

    CNN Europe and other mainstream media providers carried it like this:

    The trouble with the Sony software is that it makes your computer VULNERABLE TO VIRUSES.

    The mainstream spin is that the Sony software just opens the door to the bad guys. The word "rootkit" is not offered.

    It makes out as though Sony blundered and issued some insecure software, and how big a deal is that?

    This story deserves to grow and become a defining moment, but there's a long way from the tech community to the mainstream media.

  • And BTW... (Score:5, Informative)

    by Pakaran2 (138209) <windrunner&gmail,com> on Thursday November 17, 2005 @11:10AM (#14052281)
    He knows [nanocrew.net]
  • by Arend (170998) on Thursday November 17, 2005 @11:56AM (#14052811) Homepage
    Did you know copyright infringement is a crime?

    Well, it is.

    Or at least, it should be in all countries that singed the TRIPs agreement. It says so in article 61:

    http://www.wto.org/english/tratop_e/trips_e/t_agm4 _e.htm [wto.org]

    --

    SECTION 5: CRIMINAL PROCEDURES

    Article 61

            Members shall provide for criminal procedures and penalties to be applied at least in cases of wilful trademark counterfeiting or copyright piracy on a commercial scale. Remedies available shall include imprisonment and/or monetary fines sufficient to provide a deterrent, consistently with the level of penalties applied for crimes of a corresponding gravity. In appropriate cases, remedies available shall also include the seizure, forfeiture and destruction of the infringing goods and of any materials and implements the predominant use of which has been in the commission of the offence. Members may provide for criminal procedures and penalties to be applied in other cases of infringement of
    intellectual property rights, in particular where they are committed wilfully and on a commercial scale.

    --

    So, commercial copyright infringement, as is obviously the case here, is to be regarded a criminal offence in all countries that signed the TRIPs agreement. And if it is a criminal offence, the government is responsible to take the offender to court and throw him in jail should he be found quilty!

    All you gotta do is go to the police and hand over all evidence you can find regarding this alleged crime. Then the police should start investigating in order to bring these criminals to justice!

    This is great! This is the key to enforcing the GPL globally without having to be the author or copyright owner of the code of which the copyright has been violated. That's the beauty of criminal offences. These are prosecuted by the government on behalf of the public.

    Let's take a look at what I could find on this in the US law, since these disks have been sold in the US, haven't they?

    What I found out is that -- for me -- over the ocean, they have the "Anticounterfeiting Act of 2004":

    http://www.publicknowledge.org/issues/hr2391 [publicknowledge.org]

    "Provides penalties and jail sentences for trafficking in "counterfeit labels, illicit labels or counterfeit documentation or packaging" of records, software, movies, etc. The original bill also provided penalties for filing false information with Internet registrars, but that portion wasn't picked up in the omnibus. Passed the House Sept. 21, 2004."

    As far as I can see, this is the law text that applies and apparantly is in act:

    http://www.law.cornell.edu/uscode/html/uscode18/us c_sec_18_00002318----000-.html [cornell.edu]

    --

    TITLE 18 > PART I > CHAPTER 113 > 2318 Trafficking in counterfeit labels for phonorecords, copies of computer programs or computer program documentation or packaging, and copies of motion pictures or other audio visual works, and trafficking in counterfeit computer program documentation or packaging

    Release date: 2005-08-03

    (a) Whoever, in any of the circumstances described in subsection (c) of this section, knowingly traffics in a counterfeit label affixed or designed to be affixed to a phonorecord, or a copy of a computer program or documentation or packaging for a computer program, or a copy of a motion picture or other audiovisual work, and whoever, in any of the circumstances described in subsection (c) of this section, knowingly traffics in counterfeit documentation or packaging for a computer program, shall be fined under this title or imprisoned for not more than five years, or both."

    --

    "or a copy of a computer program"

    Looks like those criminals copying GPLed software can be sent to jail!
  • by One Louder (595430) on Thursday November 17, 2005 @12:22PM (#14053133)
    DVD Jon now works for Michael Robertson, a multimillionaire with a pretty big grudge against the music publishers.

    Robertson might be interested in bankrolling Jon in any litigation against Sony.

  • what is even (Score:5, Insightful)

    by suezz (804747) on Thursday November 17, 2005 @01:14PM (#14053742)
    sicker is that apparently the companies that we rely on for getting rid of root kits knew about the software since 2004 and did nothing. good going guys.

    doesn't it really make you look forward to VISTA - it is going to have this crap all over the os - they are working with media companies so everyone has to use windows to watch TV or DVDs.

    none of these companies care about the consumer - they are going to give us what they are going to give us and that's it.

    this why I chose open source and always will. no one is going to tell me how to use my computer.

  • by Peaker (72084) <gnupeaker@yah[ ]com ['oo.' in gap]> on Thursday November 17, 2005 @01:15PM (#14053749) Homepage
    Is the correct term.

    Sure, you could redefine theft to include the lack of transfer of funds as may be required by the combination of law and license, or other definitions, but please don't.

    The word theft is more useful when it refers to the act of reducing an owner's posession in order to increase someone else's.

    When copying, you are merely increasing the posession of one, and not decreasing the posession of another.

    Sure, you're violating what he demanded of you.
    Sure, you're violating the law.
    Sure, you're doing something many consider wrong.

    But you're not stealing. Stop changing English in non-useful ways!
  • by Maxo-Texas (864189) on Thursday November 17, 2005 @01:45PM (#14054091)
    Because it may be ripping off copyrighted source.

    And it is getting easier every day to mine compiled closed source for suspicious blocks of binary.

If a 6600 used paper tape instead of core memory, it would use up tape at about 30 miles/second. -- Grishman, Assembly Language Programming

Working...