DVD Jon's Code In Sony Rootkit? 585
An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."
Re:Nice link, guys. (Score:3, Informative)
Re:Wow. Just WOW. (Score:5, Informative)
Re:Sony isn't the only one to lambaste here (Score:2, Informative)
BZZT! Thanks for playing.
This software is First4Internet's *PRODUCT*, which they are licensing to Sony. They will license it to anyone who pays for it.
These both seem to indicate they are liable.
Liable for what, exactly?
Did Sony knowingly violate the LGPL? No.
Did Sony intend to commmit copyright infringement? No.
Is Sony still distributing the software? No.
Did the software authors register their copyright? No.
Sony is not legally liable for any copyright violation, and as they didn't know that the code wasn't First4Internet's, then they're not even in violation of the *spirit* of the LGPL, either.
Re:Sony isn't the only one to lambaste here (Score:1, Informative)
http://www.first4internet.co.uk/contact.aspx [first4internet.co.uk]
By Email
info@first4internet.co.uk
sales@first4internet.co.uk
webmaster@first4internet.co.uk
By Phone
Tel: +44 (0)1295 255777
Fax: +44 (0)1295 262682
Sony's apology (Score:5, Informative)
Re:Wow. Just WOW. (Score:5, Informative)
Apple's encryption scheme includes the generation of a key. The important parts of this key come from the machine's unique hardware information. But to prevent (at least that's my only plausible explanation for it) people from reimplementing the scheme by using the same information, they also add this copyright string to the key generation. Reimplementing their protocol means the string has to be used.
We just store it ROT13'ed in VLC because it would be confusing to have an Apple copyright in our code. Although technically the string itself is created by Apple, it is too short to qualify for copyright.
Re:Sony isn't the only one to lambaste here (Score:3, Informative)
Is "intent" an element of copyright infringment? No.
Do you have to register your copyright to claim damages? No.
Confirming Source: http://www.copyright.gov/circs/circ1.html#cr [copyright.gov]
The day the music died (err was killed by Sony)... (Score:5, Informative)
I've been chasing down several accounts of government agencies, companies, educational institutions and others banning the use of Sony CDs on their PCs, due to the security risks of having Sony's rootkit DRM infecting their PCs. One government ministry, Alberta Agriculture, has banned the use of music CDs altogether, since Sony is hardly the only music company crippling its CDs with sneaky, malicious software. Here are a couple examples:
Here I thought this would only happen for "secure" workplaces. Sorta makes you feel sorry for SCO, they can't get anyone to even look at the crazy they're selling when Sony's got such a superior line of insane self-destructiveness.
Mainstream spin (Score:4, Informative)
CNN Europe and other mainstream media providers carried it like this:
The trouble with the Sony software is that it makes your computer VULNERABLE TO VIRUSES.
The mainstream spin is that the Sony software just opens the door to the bad guys. The word "rootkit" is not offered.
It makes out as though Sony blundered and issued some insecure software, and how big a deal is that?
This story deserves to grow and become a defining moment, but there's a long way from the tech community to the mainstream media.
Tell sony what you think (Score:2, Informative)
And BTW... (Score:5, Informative)
Re:PS3 vs. XBOX360 (Score:3, Informative)
Sony stated that they did not intend to use the patent they filed on this for the PS3.
Re:Stranger and stranger (Score:5, Informative)
If Sony is providing the source code for the programs and restates that the software is unter GPL (thus giving you the right to modify and distribute your modification), then everything is fine between Sony and you though.
There have been several similar cases in Europe about this, and in every case the GPL has been found valid, and the violation of the license has been considered healed, if the final distributor was able to get hold of the source code and distribute this one too under GPL.
Check GPL v2.0 section 4:
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
For Sony this means: They lost the right to distribute the Program, and they will be in violation of the GPL until they start to comply with the GPL themselves (e.g. distributing the source and allowing modifications and redistribution under GPL).
Let's go to the police! (Score:3, Informative)
Well, it is.
Or at least, it should be in all countries that singed the TRIPs agreement. It says so in article 61:
http://www.wto.org/english/tratop_e/trips_e/t_agm
--
SECTION 5: CRIMINAL PROCEDURES
Article 61
Members shall provide for criminal procedures and penalties to be applied at least in cases of wilful trademark counterfeiting or copyright piracy on a commercial scale. Remedies available shall include imprisonment and/or monetary fines sufficient to provide a deterrent, consistently with the level of penalties applied for crimes of a corresponding gravity. In appropriate cases, remedies available shall also include the seizure, forfeiture and destruction of the infringing goods and of any materials and implements the predominant use of which has been in the commission of the offence. Members may provide for criminal procedures and penalties to be applied in other cases of infringement of
intellectual property rights, in particular where they are committed wilfully and on a commercial scale.
--
So, commercial copyright infringement, as is obviously the case here, is to be regarded a criminal offence in all countries that signed the TRIPs agreement. And if it is a criminal offence, the government is responsible to take the offender to court and throw him in jail should he be found quilty!
All you gotta do is go to the police and hand over all evidence you can find regarding this alleged crime. Then the police should start investigating in order to bring these criminals to justice!
This is great! This is the key to enforcing the GPL globally without having to be the author or copyright owner of the code of which the copyright has been violated. That's the beauty of criminal offences. These are prosecuted by the government on behalf of the public.
Let's take a look at what I could find on this in the US law, since these disks have been sold in the US, haven't they?
What I found out is that -- for me -- over the ocean, they have the "Anticounterfeiting Act of 2004":
http://www.publicknowledge.org/issues/hr2391 [publicknowledge.org]
"Provides penalties and jail sentences for trafficking in "counterfeit labels, illicit labels or counterfeit documentation or packaging" of records, software, movies, etc. The original bill also provided penalties for filing false information with Internet registrars, but that portion wasn't picked up in the omnibus. Passed the House Sept. 21, 2004."
As far as I can see, this is the law text that applies and apparantly is in act:
http://www.law.cornell.edu/uscode/html/uscode18/u
--
TITLE 18 > PART I > CHAPTER 113 > 2318 Trafficking in counterfeit labels for phonorecords, copies of computer programs or computer program documentation or packaging, and copies of motion pictures or other audio visual works, and trafficking in counterfeit computer program documentation or packaging
Release date: 2005-08-03
(a) Whoever, in any of the circumstances described in subsection (c) of this section, knowingly traffics in a counterfeit label affixed or designed to be affixed to a phonorecord, or a copy of a computer program or documentation or packaging for a computer program, or a copy of a motion picture or other audiovisual work, and whoever, in any of the circumstances described in subsection (c) of this section, knowingly traffics in counterfeit documentation or packaging for a computer program, shall be fined under this title or imprisoned for not more than five years, or both."
--
"or a copy of a computer program"
Looks like those criminals copying GPLed software can be sent to jail!
Re:Very Dangerous Reasoning (Score:4, Informative)
Copyright infringement (Score:4, Informative)
Sure, you could redefine theft to include the lack of transfer of funds as may be required by the combination of law and license, or other definitions, but please don't.
The word theft is more useful when it refers to the act of reducing an owner's posession in order to increase someone else's.
When copying, you are merely increasing the posession of one, and not decreasing the posession of another.
Sure, you're violating what he demanded of you.
Sure, you're violating the law.
Sure, you're doing something many consider wrong.
But you're not stealing. Stop changing English in non-useful ways!
Re:Stranger and stranger (Score:3, Informative)
Re:Is it actually using the code? (Score:4, Informative)
These pieces are definitely not for identifying or disabling software, they're linked into the executables just like all other libraries normally are. There are execution paths throughout the thing. I was just able to find an execution path from a function that has a string "CDXCP3" to the DeDRMS code. I'd say this first one is XCP specific, although it'd take more research to find out how exactly the code uses this stuff.
Reverse engineering takes times, especially since I don't have access to latest and greatest commercial tools that exist for tasks like this. The only reason this stuff is staying unanalyzed is because the protection is used on a CDs that very few computer experts would ever buy. Or at least I wouldn't
Re:Is the DVD Jon code executed? (Score:4, Informative)