×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sony Rootkit Allegedly Contains LGPL Software

CmdrTaco posted more than 8 years ago | from the this-keeps-getting-funnier dept.

GNU is Not Unix 623

Deaths Hand writes "According to this Dutch article the Sony DRM software (or rootkit, if you may prefer) contains code from the LAME MP3 encoder project, which is licensed under the LGPL. However, the source code has not also been distrbuted, hence breaching the license. Here is an english translation of the page." So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license. This story just keeps getting stranger.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

623 comments

Uuuuuh (1)

frieko (855745) | more than 8 years ago | (#14033884)

Doesn't the LGPL permit this?

Re:Uuuuuh (3, Informative)

Anonymous Coward | more than 8 years ago | (#14033902)

they linked it statically (apparently the rootkit consists of a single exe), so no.

Re:Uuuuuh (4, Informative)

YA_Python_dev (885173) | more than 8 years ago | (#14033907)

Doesn't the LGPL permit this?

No. You can link LGPLed software with proprietary software, but you must still distribute the sources of at least the free software (free as in RMS).

Re:Uuuuuh (-1, Flamebait)

pla (258480) | more than 8 years ago | (#14033957)

but you must still distribute the sources of at least the free software (free as in RMS).

Thus explaining why every single open source project includes the full GCC source tree with it?

Sony did a very bad thing, and should suffer greatly for their actions. But this particular part of it strikes me as a non-issue, unless we have some proof that they modified Lame before linking against it.

"operating system on which the executable runs" (5, Informative)

tepples (727027) | more than 8 years ago | (#14034011)

<sarcasm>Thus explaining why every single open source project includes the full GCC source tree with it?</sarcasm>

The GNU General Public License [gnu.org] and the GNU Lesser General Public License [gnu.org] have an operating system exemption. The exact wording of the exemption in both licenses is as follows:

However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

True, the corner cases of this exemption have not been tested in a court of law, especially in conjunction with the "mere aggregation" exemption.

Re:Uuuuuh (5, Informative)

wlan0 (871397) | more than 8 years ago | (#14033910)

According to the EFF.

This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Notification? (4, Funny)

Grendel Drago (41496) | more than 8 years ago | (#14034028)

This is all so ridiculous. It's not like Sony even asks the user if they want this crap installed. Where would they even put the copyright notice? Of all the underhanded nonsense...

Re:Notification? (5, Funny)

Professor_UNIX (867045) | more than 8 years ago | (#14034073)

This is all so ridiculous. It's not like Sony even asks the user if they want this crap installed. Where would they even put the copyright notice? Of all the underhanded nonsense...

This is the problem with the viral nature of the GPL and even the LGPL licenses and is why you should really consider using BSD licensed software in your DRM rootkits in the future. Screw the FSF!

Re:Uuuuuh (-1, Redundant)

MadFarmAnimalz (460972) | more than 8 years ago | (#14033912)

Doesn't the LGPL permit this?

No. You're thinking BSD-like licenses.

If you're using LGPL code then you're allowed to link it against non-GPL code, but you're not freed from the requirement to make the code available.

Re:Uuuuuh (5, Informative)

DataPath (1111) | more than 8 years ago | (#14033939)

Small clarification - you're not freed from the requirement to make the code for the lgpl portion available. You don't have to make the source code for the program that links against the LGPL code available.

No, Sony would have been ok if they had installed a README with their rootkit explaining that their digital rights management solution contained code distributed under the LGPL license, and direct users of the software to a website containing the source code.

Nope. (4, Informative)

Dr. Manhattan (29720) | more than 8 years ago | (#14033922)

If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL. If you dynamically link to the LGPL code (e.g. shared library, DLL) then you don't have to open up the code that links to it (this is the primary difference between the GPL and the LGPL) but if you distribute the LGPL library with your binaries, you must offer the code for the LGPL portion, too.

That being said, from what I've read it appears that the Sony DRM code may be looking for LAME on the system (to block it from working on their 'protected' stuff) but doesn't appear to actually contain LAME code.

Almost. (5, Informative)

Anonymous Coward | more than 8 years ago | (#14033965)

If you statically link in LGPL code (i.e. part of the binary), then the whole thing must be LGPL.

Not necessarily. The only requirement is that the end-user can recreate the end result by modifying the LGPL part. This can also be met by distibuting statically linked binaries and all .o files (also the closed ones). AFAIK, Loki did this for statically linked, closed-source, SDL-based games.

Re:Uuuuuh (2, Informative)

Anonymous Coward | more than 8 years ago | (#14033933)

Not neccessarily.

The LGPL allows linking of proprietary software against Free libraries, however you must provide source code for the Free library or a means of getting it and you must "give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License." In addition "You must supply a copy of this License" (the LGPL.)

The question is if they linked against LAME or just pulled out a pattern string, and at what point it becomes "use" of the library. They still ought to have complied with the LGPL to be on the safe side if you ask me though.

Re:Uuuuuh (1)

jellomizer (103300) | more than 8 years ago | (#14033952)

In some ways. While Sony can include the Libraries and Release keep their code private. They probably failed to notified the users that they are using the Libraries that are used under the LGPL License. The LGPL is primary used for libraries because by just calling a library that is Full GPL it would require you to make your application GPL which may be impossible because you may be using a licensed Library for an other section of your application, Causing a major licensing conflict. What the LGPL does is relax on the GPL Zealousness to be used more useful to all developers. But if Sony released their Rootkit without giving the Libraries credits and making public the source for the libraries (Including any modifications they did to it) then they are in violation.

Re:Uuuuuh (1)

Anonymous Coward | more than 8 years ago | (#14033956)

The dodgy ground has always been LGPL's compatibility with static linking, If LAME is statically linked into the executable, then it's against the license intentions.

Re:Uuuuuh (1)

Gabe Garza (535203) | more than 8 years ago | (#14034003)

Actually, that has a complicated answer that depends on how exactly the rootkit "contains source code" from an LGPL product.

Basically, the only way that you can use an LGPL-licensed library in your program without getting "tainted" is if your program is designed to work with an unmodified version of the library and is distributed as source code or an unlinked set of binaries.

If you distribute your program has an executable that's dynamically linked with the library, then you need to include notices saying that you use the library, that the library is covered by the LGPL, supply a copy of the LGPL, etc.

If your program is statically linked, then you'd need to do all the above AND supply the source code for the library and the object files for your program so that the user could relink it against a modified version of the library if they so desired.

If you "slice and dice" the library and copy parts of it in your program, then your basically required act as if the library was GPL (not LGPL).

The LGPL is complicated!

ard (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14033885)

ardard

just say no (3, Insightful)

hector_uk (882132) | more than 8 years ago | (#14033888)

now I feel more and more justified for not buying any music until the music industry stops suing their customers.

Re:just say no (2, Interesting)

Pieroxy (222434) | more than 8 years ago | (#14033924)

until the music industry stops suing their customers
Yes, but this time, it's customers suing them!

Re:just say no (3, Funny)

the_xaqster (877576) | more than 8 years ago | (#14033955)

I am sure there is a "In soviet Russia" joke in there somwhere!

Re:just say no (-1)

Anonymous Coward | more than 8 years ago | (#14034021)

In soviet Russia, jokes are sure of YOU!

Re:just say no (-1)

Anonymous Coward | more than 8 years ago | (#14034036)

In Soviet Russia, the jokes are sure you're in there somewhere!

Thank god! (4, Insightful)

Anita Coney (648748) | more than 8 years ago | (#14033892)

I read about this story days ago. I was hoping it wouldn't get lost. In a way this is even bigger than the root-kit story. You've got to love the irony of stealing code to create a DRM infested ripper!

Re:Thank god! (5, Insightful)

Halo1 (136547) | more than 8 years ago | (#14033994)

They're not stealing code, they're infringing on the author's copyrights by not respecting the license under which the code is be distributed (in exactly the same way people who "share" Sony/BMG music via p2p etc infringe on Sony/BMG's and the the artists' copyrights).

Re:Thank god! (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#14034101)

MOD PARENT INSIGHTFUL We need more time to use our mod points *grumble*

Re:Thank god! (4, Insightful)

Sepper (524857) | more than 8 years ago | (#14034102)

(in exactly the same way people who "share" Sony/BMG music via p2p etc infringe on Sony/BMG's and the the artists' copyrights).

Not sure about the English language, but in my own we have a saying for this: "Do what I say, not what I do"

Re:Thank god! - What's Next (1, Funny)

Analogy Man (601298) | more than 8 years ago | (#14034075)

The still untold story is the exploited child slave labor used to add this backdoor with their small nimble fingers...

....and don't mention the countless fuzzy bunnies that died in the animal testing phase of Barbara Streisand's latest release.

LGPL (1, Insightful)

matt4077 (581118) | more than 8 years ago | (#14033894)

I believe the LGPL explicitly allows binary redistribution. Howerever, it may still require attribution, and that did not happen in this case. Way to go to break copyright law to prevent others from doing the same. Especially since the LGPL goes a long way towards uses such as this.

old news (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14033897)

nothing to see here... move along

Sony Rootkit (-1, Redundant)

Edman (931166) | more than 8 years ago | (#14033903)

It's a shame for a company to use software which harms your rights of privacy just to check out if you're stealing software (yes, even music can be seen as software). It's even more shameful for this company to use a stolen piece of software to do this job...

Re:Sony Rootkit (0)

Anonymous Coward | more than 8 years ago | (#14033954)

files are not software.

Re:Sony Rootkit (2, Informative)

dwandy (907337) | more than 8 years ago | (#14034000)

Unless you're talking about shoplifting software from the local best-buy, "stealing" is incorrect.

It's important to remember that "copy-right infringemnt" != "stealing", and if people on /. can't keep this straight, how can anyone expect Joe Public to keep it straight?

This is as much a PR battle as a legal battle, and any succesful commercial organisation knows a thing or two about marketing/spin. And obviously judging by the crap they _sell_ (read push-on-consumers) as music and art, the *AA's must be succesful marketers.

And the moral of the story is (1)

NVP_Radical_Dreamer (925080) | more than 8 years ago | (#14033905)

1. Install rootkit that contains licensed code without telling users 2. ???? 3. Profit!

Re:And the moral of the story is (1, Funny)

MadJo (674225) | more than 8 years ago | (#14034034)

well in this case it's rather more like

1. Install rootkit that contains licensed code without telling users
2. ????
3. Lawsuit!

HA ! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14033908)

those bastards ! :)

Well, hang on a minute (2, Interesting)

daviddennis (10926) | more than 8 years ago | (#14033911)

I will admit I haven't read the license, but I could have sworn that I have no obligation to distribute the source of software I write using LGPL-licensed libraries. I thought I could freely distribute software using them them for any purpose even if I was distributing binaries only of my proprietary software.

In fact, I thought that was the whole difference between the GPL and LGPL.

Did I get this wrong, or is this a non-story?

D

Re:Well, hang on a minute (1)

the_xaqster (877576) | more than 8 years ago | (#14033935)

The difference is with the LGPL you have to distribute the source of the LGPL files, not the source code to your own binaries. This has not been done.

Re:Well, hang on a minute (2, Informative)

hattig (47930) | more than 8 years ago | (#14033938)

The gist of it is that you can't statically link in the LGPL libraries into your application. You can only dynamically link the library. Even so, you have to give attribution that you use the library, and provide that library's source and object files on demand.

I wonder if someone has made a request to the software firm that wrote the software originally? Because the code is statically linked, they will of course have to make their entire software source available - if I understand this right.

Re:Well, hang on a minute (3, Informative)

Vo0k (760020) | more than 8 years ago | (#14034006)

You still can statically link as long as the user is able to replace the LGPL parts of the code. So, say, you distribute object format binaries of your proprietary code, or you release your own code on other open-source non-GPL license (like the new one from Microsoft, "you can read, you can compile, you're not allowed to edit"). Generally the gist is that the LGPL part of your code must remain Free to anyone you give/sell your software to, and the proprietary part must not stand in the way to that Freedom.

Re:Well, hang on a minute (1)

Halo1 (136547) | more than 8 years ago | (#14034067)

Even so, you have to give attribution that you use the library, and provide that library's source and object files on demand.
The latter only to people who legitimately got hold of the binary, and not to anyone else (though you can't stop anyone who legitimately got hold of the source code to redistribute it, of course).
I wonder if someone has made a request to the software firm that wrote the software originally? Because the code is statically linked, they will of course have to make their entire software source available - if I understand this right.
Not necessarily. They have to stop infringing on the copyright of the authors of the LGPL'd library. This can be done by releasing all source code, by dynamically linking against the library or by using another library. In a court, the authors of the library can also ask for damages to compensate them for the infringement (like the RIAA also can ask for damages when suing someone for copyright infringement).

A judge could in theory of course mandate that all source code be released, but that's unlikely. The "virality" of the GPL and LGPL are often overstated. It's true that if you use GPL code in a program which is distributed, the entire program should be released under a GPL compatible license.

It is however not true that if you don't do this, you can automatically be forced to release all that source code. The only thing you can be sure of is that the infringing party can be forced to stop infringing. How exactly this happens is another matter.

Re:Well, hang on a minute (4, Insightful)

Vo0k (760020) | more than 8 years ago | (#14033958)

You have to redistribute source of these libraries and enough hooks/API so anyone could replace them with whatever they like in your program. So either link dynamically (and include just the lib sources) or if you link statically, include source of the libraries and .o objects of your binary so they can be re-linked.

Code vs metadata (3, Interesting)

Vo0k (760020) | more than 8 years ago | (#14033915)

IANAL, but I think this is no-case. The code isn't included as executable, but as metadata usable in identifying LAME. Same as antivirus vendors shouldn't be kept liable for installing millions of viruses and copyrighted code from multiple spyware programs, just because the antivirus contains sniplets of the original code used in identifying the threats. They don't link the code against the program, but include pieces of it as non-executable data for the database. It's fair use. Same as you'd sue Google for copyright infringement because they include a sniplet of text from your website in their search results, or a thumbnail of your copyrighted image in image search.

Aye, but... (2, Insightful)

KitesWorld (901626) | more than 8 years ago | (#14033972)

While I'm not concerned about wether it's legal or not (Sony will argue that same 'fair use' clause that they're trying to demolish), I think one of the major differences here is that Viruses and Spyware don't serve legitimate purposes.

Lame, on the other hand, is used in all kinds of software and by all kinds of people for legitimate reasons. If you're scanning for and disabling the engine on someones work PC for instance, you can end up crippling a musicians recording studio that they use for their own work, or breaking someones home video studio or something.
Legal, yes, but totally irresponsible all the same.

Re:Code vs metadata (0, Flamebait)

Serious Simon (701084) | more than 8 years ago | (#14033997)

How do you know the executable is not included? And if you are correct, this would mean that only this specific version of LAME can be recognized. That does not make sense.

Re:Code vs metadata (4, Interesting)

muzzy (164903) | more than 8 years ago | (#14033998)

Wrong, it isn't used for identifying anything. The GO.EXE only contains the strings and data but it isn't used there. I wasn't able to find any code in the executable that uses the data (for any purposes), and I looked pretty hard. It's been statically linked but unused. HOWEVER, there are more binaries on the CD compressed in XCP.DAT, which get installed to the system along with the DRM crap. At least one of these binaries contain LAME code for certain. The GO.EXE might not be enough for a case, but that's just the tip of the iceberg. There's real infringement in at least one other executable.

MOD PARENT UP (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#14034062)

(eom)

Takedown noticy against Sony (5, Funny)

Anonymous Coward | more than 8 years ago | (#14033917)

Someone should send a takedown notice to the Sony corporation.

WTF (1)

Jerom (96338) | more than 8 years ago | (#14033919)

Is someone at SONY some highly cynical form of humor to defend his/her position AGAINST DRM, or is this just plain stupidity slowly turning into the worst PR nightmare ever to hit the japanese giant?

Whatever it is I love it!

On second thought this might also just prove that a LOT of commercial software illegaly contains (L)GPLed code illegaly and just the ones that (due to extensive media attention) get scrutinised al lot, end up getting caught.

hmmmm...

J.

This counts as a violation *why*? (1, Interesting)

pla (258480) | more than 8 years ago | (#14033926)

However, the source code has not also been distrbuted, hence breaching the license

Uhh... Probably not going to say something popular here, but wouldn't it only violate the LGPL if they had made changes to the code and then not made those changes available?

If they just linked against it as a library, well, the LGPL exists for exactly that reason.


Not to say that I find it all that unlikely that Sony did in fact make changes (adding some other DRM, beyond the rootkit itself - Though even that, they could theoretically have done without modifying the Lame code itself), but this seems all too much like exactly what we fault SCO for.

"You used our code! Give us your changes!" "We didn't make any changes..." "Well give us the code and prove it!"

Re:This counts as a violation *why*? (3, Interesting)

TrekkieGod (627867) | more than 8 years ago | (#14034085)

I was confused and under that impression too, so I read the LGPL license. It doesn't require you to submit the source code, but it does require the machine readable object code to be released so that people can link it with the library themselves. It also requires that the fact the library is being used be clearly stated, and the LGPL license text included with the distribution.

Re:This counts as a violation *why*? (1)

BridgeBum (11413) | more than 8 years ago | (#14034087)

I believe the LGPL requires acknowledgement to the copyright holders included along with the distribution. Sony didn't include those notices.

This story gets better and better (2, Interesting)

MechaShiva (872964) | more than 8 years ago | (#14033929)

It's like a nerds wet dream. First you have an over-zealous company sabotage it's own customer's machines. Now, it turns out they are violating the very copyright laws they are trying to defend with their crapware. What next? Perhaps they'll claim they own the code in question and try to relicense it for $699, even though we all know they'll want to charge $666 for it.

... or maybe not (2, Informative)

68kmac (471061) | more than 8 years ago | (#14033932)

Just minutes before heading over to Slashdot I read this [the-interweb.com] which concludes that while Sony's software does contain some of the LAME tables, it doesn't seem to use them.

... or maybe yes (5, Interesting)

muzzy (164903) | more than 8 years ago | (#14034031)

That only concerns GO.EXE, and while the analysis is correct for that executable, I checked for LAME references against every binary in the compressed XCP.DAT file after I managed to unpack it (thanks to freedom-to-tinker.com guys for providing description of the format). Turns out, there's more binaries including references to LAME, and this time there's actually code that uses the data as well. And not just LAME, there's also Id3lib included in one dll, and bladeenc and mpglib distributed along with the DRM. All of this is LGPL, it's code, and it's being used.

Well, maybe... (1)

McGruff (37593) | more than 8 years ago | (#14033934)

I heard this several days agao and after I stopped laughing my butt off, I actually thought about it. It is likely doing string compares to find software that DRM is somehow allowed to break on your system, you know, to protect you from the bought and payed for content. If they really used GPL'ed, or in this case LGPL'ed, code there is going to be some spanking needed for this company. I don't think that LAME is likely to be in the software except as a detection string, however.

      On the otherhand, I would love to see RMS do his thing. He's got the legalesse mojo, baby.

A bit misleading (2, Interesting)

Lifewish (724999) | more than 8 years ago | (#14033936)

According to the report [the-interweb.com] I read, the Sony rootkit doesn't contain any of the code from the LAME libraries, just a couple of tables. No-one seems to be quite sure why they'd do this - the two popular theories seem to be that either it's a cockup (they didn't really mean to include the tables) or it's part of some LAME-detection system. The evidence is probably on the side of the former given that the tables don't actually seem to be used at any point.

This probably is copyrightable data, but it appears to be use on a par with that occurring in spyware detection, as reported in the last news item [slashdot.org].

Disclaimer: I'm not the techiest person in the world - if I've made a mistake please tell me.

Re:A bit misleading (0, Troll)

antifoidulus (807088) | more than 8 years ago | (#14033974)

This is slashdot, the truth has no meaning here! Go back to your groupthink at once, you want to be a good /. citizen, don't you?

Re:A bit misleading (1)

Richard_at_work (517087) | more than 8 years ago | (#14033982)

This sounds very much like the SCO claims imho. The strings and array construct names involved seem so generic that they can be present for a number of reasons, including as you pointed out, a ripper detection system. They probably also lifted the following: if, else, while, main, int, char and a few others.

LAME is in there, just not in GO.EXE (4, Informative)

muzzy (164903) | more than 8 years ago | (#14034046)

Regarding GO.EXE, it's a cockup. I've posted a few other posts here explaining the real situation. LAME along with some other LGPL code is being used in other binaries on the DRM, I couldn't initially find them since they're compressed in XCP.DAT on the cd but they get installed on the system.

Still need to distribute source code (1)

chad9023 (316613) | more than 8 years ago | (#14033937)

As I understand it, you still need to distribute the source code. From the license:

You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.

It serves them right! (5, Funny)

AndroidCat (229562) | more than 8 years ago | (#14033941)

If they'd gone Open Source from the start with their rootkit, the community could have contributed bug fixes and improvements. Even their competitors could have gotten involved, resulting in a truely powerful bug-free rootkit for use by everyone.

Glee (4, Insightful)

johnos (109351) | more than 8 years ago | (#14033942)

Its beautiful. I've always thought that the corporate war on their customers over intellectual property would turn when someone went too far. All of a sudden the main stream media would wake up and finally get it. Well, now its happened. The media is all over the story and Sony, bless their hollow little heads, just keep digging. I'm sure I'm not the only one who was shocked but not suprised at the news Sony or Level 4 have broken the LGPL. They are staggering around like a pummled prizefighter, bleeding on everything. There's going to be more blood before this is over. Besides the $billion or so it will cost Sony to clean up the mess, others will have some 'splainin to do. Like the anti-virus companies, like Microsoft, like the other music companies.

Re:Glee (0)

Anonymous Coward | more than 8 years ago | (#14034056)

Bleeding on everyone is not a good thing today. Better wear gloves for the clean up and send the blood for testing.

Re:Glee (2, Insightful)

durian (89507) | more than 8 years ago | (#14034099)

The media is already moving on. Nothing will happen to Sony - maybe a few geeks will pretend not to buy their CDs anymore, but that's it. Consumers are not a player in this. It is coorporations and politicians and it is about power and money.

the player (0)

lseltzer (311306) | more than 8 years ago | (#14033943)

This story first came out on a list I read over a week ago. I'm pretty sure it's actually the media player, not the rootkit, that contains the LAME code.

Sneaky Sony (5, Funny)

Ritz_Just_Ritz (883997) | more than 8 years ago | (#14033944)

I knew something was up when I saw that Aibo perched at my keyboard when I woke up this morning.

Next thing you know, they'll be after our precious bodily fluids.

More info (5, Informative)

muzzy (164903) | more than 8 years ago | (#14033949)

The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.

Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/ [hack.fi]
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.

maybe just stupid and incompetant (0)

cinnamon colbert (732724) | more than 8 years ago | (#14033962)

We had a sony digital camera at work, and , of course, someone lost the software.
So, I figure, go to sony.com, enter the model number, pull up a page with a download link, and voila, broadband to the rescue

Not happening

It took me and another geek 30 minutes to find the download link

So, maybe Sony is just stupid and inept. After all, look at the trinitron monitors, with that horizontal wire ~ 1/3 of the way from the bottom; look at the software they distribute with their early model DVD players (the sony software would not work with their own player - I had to download something from sateira)....
Not to mention Viao - how on earth can you expect a brand to be successfull if you can tspell or pronounce it (merkur anyone ?)

Re:maybe just stupid and incompetant (1)

SillyNickName4me (760022) | more than 8 years ago | (#14034083)

So, maybe Sony is just stupid and inept. After all, look at the trinitron monitors, with that horizontal wire ~ 1/3 of the way from the bottom;

Blahblahblah...

Not wanting to spoil your day, but I think I should inform you there is another wire at about 1/3 from the top as well.
Neither are a messup, more like a consequence of the trinitron design that was difficult if not impossible to avoid at the time.

There is no violation involved (1, Informative)

lightweave (522226) | more than 8 years ago | (#14033967)

Apparently there are still enough people who don't understant the (L)GPL. The LGPL was created to allow poeple to use code from GPL applications as long as they only use it as a library. Which frees them from the need of redistributing their *own* code. Even with the GPL you are NOT required to distribute the code along with the binary. The only abligation that you have is to make it available upon request. But this is not the same. Even under the GPL I would be perfectly ok if I distribute a linux system, without giving MY customers the sourceode, as long as they don't ask for it. If my client is happy, why bother? And of course, then I would only have to give the sourcecode to MY clients and not everybody else as well.

Re:There is no violation involved (2, Informative)

Kickasso (210195) | more than 8 years ago | (#14034037)

If you don't distribute the source, you have to make a written offer, valid for at least 3 years, blah blah blah.

Re:There is no violation involved (1)

tepples (727027) | more than 8 years ago | (#14034041)

The only abligation that you have is to make it available upon request.

Where on the disc or on the printed materials accompanying the disc is such a written offer?

What's next? (5, Funny)

Pig Hogger (10379) | more than 8 years ago | (#14033969)

The more it goes, the worse it seems. What's next?

- Sony rootkit eats kittens?
- Sony rootkit throws momma from the train?
- Sony rootkit spawns Darth Vader?
- Sony rootkit deflates tires of soccer moms?
- Sony rootkit steals cookies from girl scouts?
- Sony rootkit cheats at final exams?
- Sony rootkit pours hot grits down Natalie Portman's pants?

Market Strategy (0)

Anonymous Coward | more than 8 years ago | (#14033973)

"1. Install rootkit that contains licensed code without telling users 2. ???? 3. Profit!"

2. Release new Playstation!

I have a question... (1)

ghislain_leblanc (450723) | more than 8 years ago | (#14033980)

What happens when you try to play a DRMed CD in a non-windows computer? Does is just play or is it not even recognised as a CD? I never had a chance to try, I just don't care much for the titles they have to offer. If this rootkit is meant to prevent people from ripping CDs but only works on one platform, they can't possibly think this is gonna work, right?

Can someone explain this to me?

Thanks

Blame Sony? (1)

putko (753330) | more than 8 years ago | (#14033986)

Isn't the company to blame the one that made the rootkit for Sony? It is some OEM stuff.

I can imagine Sony doens't know much about this at all. Sure, they are the ones legally responsible -- but ultimately, they'll just sue the rootkit makers if this ever costs them a dime (unless they indemnified the other guys).

Re:Blame Sony? (0)

Anonymous Coward | more than 8 years ago | (#14034076)

" Isn't the company to blame the one that made the rootkit for Sony? It is some OEM stuff."

The point missing, is that Sony Distributed the code, which is copyright infringment also. according to US Copyright Law.

Confusing (1)

TheComputerMutt.ca (907022) | more than 8 years ago | (#14033989)

Why isn't this labled as "Sony"? I decided to look for all articles about their great evils, only to realize that this wasn't among them.

It even has some GPL compnonets (4, Interesting)

leuk_he (194174) | more than 8 years ago | (#14033995)

looking at the licence of lame: [sourceforge.net]



*** IMPORTANT NOTE ***

The decoding functions provided in LAME use the mpglib decoding engine which
is under the GPL. They may not be used by any program not released under the
GPL unless you obtain such permission from the MPG123 project (www.mpg123.de).


So it is not only LPGL, but also the more strict GPL. This is of coarse all meaningless if nobody from the mpg123 project steps out and tells sony to go with the license.

Plus patents... (4, Funny)

Bazman (4849) | more than 8 years ago | (#14034004)

"So apparently Sony violates your privacy to create a backdoor onto your machine using code that violates an Open Source license..."

... from a project that may be[1] in violation of patent law! Woohoo!

Baz

[1] in some lawyers opinion.... see http://en.wikipedia.org/wiki/LAME [wikipedia.org] for info.

The Bad Plus, Suspicious Activity (1, Funny)

Anonymous Coward | more than 8 years ago | (#14034009)

CD: The Bad Plus, Suspicious Activity: The empire strikes backwards

Not stranger entirely consistent (2, Insightful)

Crashmarik (635988) | more than 8 years ago | (#14034010)

The fact that sony has chosen to violate a license agreement is entirely consistent with the motion picture and music industry standard operating procedures. The only rights they acknowledge are their own. For someone else to assert their rights, would be considered meerly cheeky. Look at the Buchwald case, record industry and movie industry accounting practices.

In short if you look at this from the perspective that these people feel that they own YOUR right to enjoy entertainment, it all becomes very consistent.

Sony needs to protect its image... (4, Insightful)

digitaldc (879047) | more than 8 years ago | (#14034013)

...not its CDs. They have done more to damage their image and profits with this story than they would have saved by installing its spyware.
I also feel sorry for the poor chap who buys Ricky Martin, Neil Diamond or Celine Dion CDs, I really do.
Sony should have some kind of disclaimer about installing its bad software, maybe a 'Spyware Advisory' sticker? It is only fair.

So... How about them statutory damages... (1)

91degrees (207121) | more than 8 years ago | (#14034015)

Sony have knowingly distributed an unknown number of copies of this file. I believe this allows the LAME authors to claim statuory damages of between $250 and $150 000 per infrignement.

Anyone know what an "infringement" is in this case? Is it a single copy or a single work?

Re:So... How about them statutory damages... (1)

msdschris (875574) | more than 8 years ago | (#14034060)

If you were to copy a sony CD 1,000's of times and sell it how would you be fined if convicted?

I don't think it contains LGPL code. (1, Interesting)

SaleNowOn (846913) | more than 8 years ago | (#14034017)

I'm sure I'm about to be proved wrong on this but....

The strings just look to be a part of a search function for various LAME versions on the users computer,
and both programmes contain an array with the highly original title of "largetbl".
"Large Table" for those non programmers amongst us.
I'd like to see a bit more evidence before I cry foul.

What I find interesting. Why the Sony Rootkit is looking for LAME in the first place?
Does it alter or break LAME in in some way if LAME is found ??

Not really stranger (1)

djsmiley (752149) | more than 8 years ago | (#14034054)

Sony hired someone to stop people doing the dirty with their cds. What happened was they got someone (or some company) who either dont have ethics or morals, or are just plain dumb and gave sony exactly what they wanted. And now sony are paying the price.

Article Text (dewinter.com dead) (2, Informative)

Anonymous Coward | more than 8 years ago | (#14034066)

Spyware Sony seems to breach copyright
Posted on Thursday, November 10 @ 11:44:47 CET by brenno [dewinter.com]

GNU / GPL (Copyleft) [slashdot.org] The spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.

It turns out that the rootkit contains pieces of code that are identical to LAME [mp3dev.org], an open source mp3-encoder, and thereby breach the license.

This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Sony complied with non of these demands, but delivered just an executable program. A computerexpert, whose name is known by the redaction, discovered that the cd "Get Right With The Man" by "Van Zant" contains strings from the library version.c of Lame. This can be conluded from the string: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 ".

But the expert has more proof. For example, the executable program go.exe contains a so called array largetbl. This is a part used in the module tables.c of libmp3lame.

This discovery can have far-stretching consequences for the music giant, who claims only to protect copyrights. Previously, judges in Germany already forced various companies to release source code to the public and to deliver the goods necessary for compiling. It is also possible to demand financial compensation for damages.

Meanwhile, Other details are also becoming clear. The Electronic Frontier Foundation [eff.org] complains that the spyware makes the legal listening to the music on iPods impossble. The organisation is busy making a list of cds [eff.org] containing the hidden software and publishes this on her website.

Various calls to SonyBMG remained unanswered despite promises to call back.

Sabotage from within? (5, Interesting)

jeffs72 (711141) | more than 8 years ago | (#14034071)

I could see the developer who had this project fall in his lap say "this is fucking stupid, lets teach them a lesson on integrating spyware with their cds" and violating this license (which will give them a black eye) and then write it in such a way that people can easily use it as a virus/trojan vector.

The more I think about it, it really smells of dissention from within.

Either that or it looks to me like this is a mix of business people not understanding their market, customers, or technology and sloppy code work. I mean, what asshat would grab some open source code and not adhere to the license? It is either a tremendous faux pas on Sony's part, or there was some intentional act here to make this as reprehensible as possible.

Sort of like watching the music industry test the waters on this sort of thing and finding them extremely chilly.

Ironic? (4, Insightful)

Rakishi (759894) | more than 8 years ago | (#14034088)

First of all it seems that there is more than just LAME in there: http://hack.fi/~muzzy/sony-drm/ [hack.fi]

Second of all, am I the only one who finds it ironic that a DRM program designed to protect someone's copyrighted information is itself infringing on someone's copyright? I guess if Sony wants to fight those evil copyright violators they should start by putting themselves in jail.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...