DVD Jon's Code In Sony Rootkit? 585
An anonymous reader writes "With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar."
A share of profits? (Score:5, Interesting)
Anyway, DVD John can actually sue Sony for all *revenue* that Sony made from the sale of the CDs, if I'm not mistaken (not just profits). That would grab them where it hurts!
Who guessed it? (Score:5, Interesting)
Isn't that doubly illegal? (Score:5, Interesting)
Sony ought to be in some severely deep shit here. Of course they're a corporation, so they're mostly above the law, but we should still be able to get something to stick.
Stranger and stranger (Score:5, Interesting)
Though it wouldn't happen in a million years, I'd like to think this will bring Sony to it's knees. It won't, but someone can dream.
Not that I had anything against Sony in the first place, but since this crap they threw out there and expected everyone to just "take it", they need to be slapped and slapped often.
They haven't even apologized yet. At least I haven't seen it. Though just saying "sorry" doesn't cut it anymore as thousands of computers are now vulnerable in the world due to their greed.
Re:Sony isn't the only one to lambaste here (Score:5, Interesting)
Re:PS3 vs. XBOX360 (Score:1, Interesting)
First4Internet could be in BIG trouble. (Score:5, Interesting)
3.(1) A person is guilty of an offence if
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.
I think First4Internet's little toy is designed to prevent or hinder access to programs and data held in a computer, don't you? And I really doubt that their click-through EULA constitutes authorisation to do so; it was fraudulently claimed that the Software was necessary to play the music, which was a plain lie as is shown by every Linux and Apple machine that plays it just fine without the rootkit installed.
I might add that even though these discs are not available in the UK, the Computer Misuse Act still holds [opsi.gov.uk].
Anyone know if we could possibly get Inspector Knacker to take a look at these felonious fellows?
Re:A share of profits? (Score:5, Interesting)
Let it be and Sony will reign in the RIAA (Score:1, Interesting)
Weird (Score:0, Interesting)
I can't help, and I know I'm not the only one.... (Score:2, Interesting)
Re:Isn't that doubly illegal? (Score:5, Interesting)
Under UK law copyright infringement is a criminal offence - in other words, report it to the police and they are obliged to investigate.
So if the copyright holder were to let the police know of their concerns and supply some evidence, the company that authored the software could have an interesting visit.
Is the DVD Jon code executed? (Score:5, Interesting)
I mean the DVD john code seems like exactly the sort of thing one might want to search for on someone's computer to stop pirating. If indeed it is used only to identify the code it may be covered under fair use. It's an interesting legal question that I vaguely remember came up in virus/worm/spyware cases. Namely can a malware writter use some kind of simple code modification method to foul up simple hashes and then insist his copyright prevents anti-virus manufacturers from including large enough parts of the malware code to accurately detect it.
It might not be pleasent but if it's fair for the good guys to use code under fair use for detection then the bad guys get to do it as well.
Which reminds me I don't even remember the legal status of this DVD Jon code in the US. Is it illegal under the DMCA? Does this deny it copyright protection or a different measure.
Re:A share of profits? (Score:3, Interesting)
$30,000 per infringement means $30,000 per sale of each CD. This is how they got to such huge damage claims in the peer to peer wars.
Sony's in genuine trouble on this one, and no matter what they look like hypocrites.
I have the strangest feeling DVD Jon's current boss knows a few good lawyers, so this won't be swept under the rug.
D
Sony VAIOs (Score:4, Interesting)
Re:Isn't that doubly illegal? (Score:1, Interesting)
They are struggling on the border of death for years now... and it ain't got any better...
So you don't need a *that* big thing to bring sony to fall...
Let's all wish it happens... some time it has to start to become better for us...
Re:Stranger and stranger (Score:2, Interesting)
Let Sony say that to the court, perhaps after hearing several hours of testimony from parents of minor children who had to settle with the RIAA (which Sony supports) for $10,000 or more for intellectual property theft actions of their children they were unaware of.
Let's see... Sony and the RIAA estimate the value of a stolen tune at $105,000 or so, times the number of duplicated copies. Guessing Sony's latest DRM oops at only 50,000 copies shipped, that's 5.25 billion Sony owes to those whom they infringed. And don't forget, just as one can have more than one P2P file on a PC (at $105K value each), each party who was damaged by Sony's apparent theft should be entitled to a cut at these prices.
And unlike the parents Sony and the RIAA chased down, Sony has deep pockets and a higher standard given their full knowledge through RIAA persecution that intellectual property theft is wrong.
*scoove*
Re:Ah, but who put it there? (Score:3, Interesting)
I assume that some grey, suited MBA type didn't put this code in. A geek did.
The grey suited MBA paid for it to be done and the geek did what he was paid to do. And obviously Sony BMG marketing would have to approve as it is a change in their product. Legal would have been involved to license the code. Upper management would either have to put their heads in the sand or approve it.
I don't know what world your from but geeks don't have a rats ass of influence with senior management. If a brain dead CSO looked at this he might have said it may be in violation of section 1030 of the Computer Fraud and Abuse Act, targeted paying customers and may contain copyright violations.
Conspiracy to subvert users who buy their product is likely. But this story is so ironically cute and humorous it will go down in the business journals like coke classic and the like. Sony will wait 6 months and when sales are down come out with DRM free classic CDs.
Re:The day the music died (err was killed by Sony) (Score:3, Interesting)
Re:First4Internet could be in BIG trouble. (Score:4, Interesting)
I'd be surprised if there was a DNS server left on earth that hadn't recently handled a query for First4Internet by now.
In any case it's worth investigating, notice that not all of Europe is covered in red, although I'm sure the scandal has been reported there as well. There's a good possibility here that Sony has sold the CDs in the UK, and frankly it should be investigated because Sony deserves to be nailed with every law they violated for this little stunt.
Besides, has Sony ever released a list of all affected CDs yet?
Re:pissing contest. (Score:4, Interesting)
Re:Stranger and stranger (Score:5, Interesting)
Except after the initial exposure of this rootkit in their products, Sony bigwigs were on NPR radio broadcast saying essentially (paraphrased) "What they don't know won't hurt them". I'd certainly content that constitutes delayed action, and possibly collusion. Plus the factoids coming out that this rootkit may have possibly been distributed by Sony for over a year now.
Regardless of who wrote it, Sony is still the one who deliberately distributed millions of CDs containing this malware. They should have done due diligence on their own product before shipping. They've supposedly stopped making CDs with XPC, but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again. Instead, they've done practically nothing (except some basic CYA by halting further production) and practically promised that they'll be trying this again in some form in the future. Hardly sounds like an 'innocent' party.
Sony certainly deserves to get their collective ass handed to them. Its just a shame it will have to happen through lawsuits and consumer boycotts, as you'd think they would learn not to abuse their own paying customers. I guess not.
P.S. Screw you Sony, your products, warranties, and service have been crap for years, but now I will actively avoid anything to do with you.
Re:Wow. Just WOW. (Score:4, Interesting)
So, quite apart from the fact they've stolen your code, the question now is:
Why does Sony's DRM include code to break Apple's DRM? Are they just scanning for evidence that your code is running, staticly built the library because they were stealing some other aspect of your program, or do they actually want to decrypt Apple files?
This story just gets stranger.
DVD Jon works for Robertson (Score:3, Interesting)
Robertson might be interested in bankrolling Jon in any litigation against Sony.
Re:The day the music died (err was killed by Sony) (Score:3, Interesting)
Don't you think they're celebrating now that using audio CD's in PC's is a security risk? I'm suprised they haven't done this sooner. Pretty soon, we'll be asking for Trusted Computing because because it will protect us from oursel^h^h^h^h^h^h the security risks inherent in unsafe CD playing....
Re:Sony's apology (Score:2, Interesting)
Welsh DRM technology is a hit in the US [xcp-aurora.com]
Um, yeah, the determined audio pirates that leave AutoRun turned on on their CD-ROM drives.
Oy.
Re:Very Dangerous Reasoning (Score:4, Interesting)
Re:Stranger and stranger (Score:3, Interesting)
I do not think it matters who wrote the code in the first place. Sony sells the code and so has the responsibility...simple as that. In the same way that if i buy a PS3 and the disc drive is broken SONY cant tell me to take it up with Toshiba or whoever makes the drive. They sold it and they must deal with the consequences. They themselves are free to take it up with their supplier but this up to them.
Imagine you buy a car and the brakes fail the maunfacturer cant avoid liability by saying that it is the fault of the guy who refined the steel and that i should take it up with him.
If it was the case that guilt could be passed down the line then all drug dealers would go free by saying it wasnt my fault you should prosecute the Afgan farmer who planted the poppies, I am merely "passing" it along.
It does not matter who is at FAULT it matters who is RESPONSIBLE.
Re:A share of profits? (Score:2, Interesting)
Actually, i'm unsure why they had this new code in. some possibilities:
1. support playing of apple drm'd music (invalid because they surely use his whole code which constitutes copyright infringement)
2. scan for DVD Jon's code and block its usage (valid - fair use, they use only signatures)
Re:Very Dangerous Reasoning (Score:3, Interesting)
To draw a more potent example (because it's known that the code in this case is active, and not possibly "just a fingerprint"), it is entirely plausible that Geico would be liable for the programs they received from MXS. And they're just a customer using the stoftware! They're not even involved in the development. Another example is that every linux user would potentially be liable if Linux were to be found to contain code that SCO owns the copyright for. (Thus, the reason for indemnification, etc)
Basically, the issue here would be that Sony did not take due dilligence to ensure that the code provided to them were unencumbered. And you better believe that F4I will attempt to show that they *did* notify Sony of any encumberances, at which point Sony would be screwed, and F4I would be fine, because they complied with the (L)GPL, and Sony failed to redistribute properly.
Ignorance has never been an excuse of receiving stolen goods, or receiving infringing copyrighted material.
In this case, Sony would be working much like a fence. They would take the directly stolen code (and thus not at fault for the actual theft) and then they would peddle it out (accessory, plus some more extra stuff, like selling stolen goods.) So if anything, Sony is at least equally guilty of any infringement that F4I did on their behalf.
Re:Stranger and stranger (Score:4, Interesting)
"but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again."
Actually, it appears that they *do* plan to offer replacement discs [sonybmg.com]. I tried to post this to the main page (a fairly significant development, IMHO), but alas it was rejected. In other news, Mark Russinovich is declaring victory [sysinternals.com] as a result.
I'm not saying that makes everything okay... I'm just saying that they're not being *total* jerks about this (just *partial* jerks). I expect we'll see more of a response out of Sony once that large bureaucratic ball eventually does get rolling. In an organization the size of Sony, I'd bet it has quite a lot of intertia.
And no, I won't be buying any more Sony CDs... or probably anything else - just on principle.
Re:Is the DVD Jon code executed? (Score:3, Interesting)
Anyway I made no claim that Sony would be okay with you acting as described. Luckily Sony is not the court. Of course the courts aren't stupid so they aren't going to believe that your huge library of music is really being used and necessery for recognizing songs you come across. If you kept the music in some non-playable (without difficult extraction) form (maybe pre-processed to match against snippets) the situation might be different.
The question is not about the non-execution. I tend to agree this is not itself legally relevant. The question is whether using someone else's copyrighted work for the soul purpose of recognizing that work when it appears counts as fair use. The fact that it is not executed is only relevant insofar as it supports the idea that it is being only used to regonize the work.
Frankly I don't know, though I think there have been some cases about it. If you had some legal grounds for your conclusion I would love to hear them but it isn't the sort of thing one can just intuit without knowing anything about it.
Re:PS3 vs. XBOX360 (Score:3, Interesting)
Sony installs theirs without telling you and then if you try to uninstall it, it roots you even worse