Sony’s (Deserved) Living Hell: Day 9 Update
It was only last Thursday when security firms showed the world that “hackers were distributing malicious programs over the Internet that exploited … (Sony’s) antipiracy technology’s ability to avoid detection.” In other words, their antipiracy technology was, unbeknownst to users, leaving their computers vulnerable.
Last Friday, Sony moved to suspend making CDs with the antipiracy technology.
Problem over? Hardly, it’s only the beginning:
- Earlier this week, in a stunning humiliation, Microsoft announced that it would treat Sony’s The XCP rootkit program as malware.
- An attempt by Sony to create an uninstalling fix only made things worse.
- Lawsuits started, with a web site devoted to the effort (HT: Boycott Sony Blog, which actually started when the rootkit was released, and before the computer vulnerabilities were discovered).
It can’t get worse, right? Oh, yes it can, and it has (bolds are mine):
Software Writers Spot Open Source in Sony BMG CDs
November 18, 2005BARCELONA (Reuters)—Controversial copy-protection software used by music publisher Sony BMG on music CDs appears to have tapped an open source project, raising questions about copyrights, software experts said on Friday.
….. This music player contains components from an open source project, an MP3 player called LAME, it emerged.
“Multiple software components on the CD have references to the LAME open source MP3 code,” Finnish software developer Matti Nikki said in an e-mail.
After unraveling the code, others found similar evidence.
“We can confirm that at least 5 functions in the XCP software are identical to functions in LAME,” said Thomas Dullien at security software firm Saber Security in Bochum, Germany, which specializes in the analysis of complex software.
Open source software, if used, needs to be identified as such, so that it can be freely shared with others. Developers on Slashdot.org and other Internet bulletin boards could not find an open source reference in the copy-protection software.
If open source software is tightly integrated into a single executable program, the whole application has to become open source software, even open source software such as LAME whose MP3 encoder is licensed under the more relaxed Lesser General Public License (LGPL), a lawyer said.
“That’s the flipside of open source: If you don’t respect the open source rules, the old regime of copy protection comes back in full force,” said attorney and Internet specialist Christiaan Alberdingk Thijm at law firm SOLV in the Netherlands.
There was LAME and other LGPL code in the program, and significant amounts were tightly integrated into the executable program, Saber Security said.
“We can confirm the existence of significant amounts of code from FAAC (which is LGPL) in the executable … These functions are part of ECDPlayerControl.ocx, thus directly integrated into the executable,” Dullien said in an e-mail.
First4Internet, which sold the XCP software program used by Sony BMG on its CDs, declined to comment after repeated requests since Monday.
Sony BMG, which also declined to comment, has positioned itself as a defender of artists’ rights.
So the “defender of artists’ rights” has, through a vendor (for whose actions Sony is responsible), lifted open-source code and put it into a commercial product.
At the rate things are deteriorating for Sony, I halfway expect to learn that the late Akio Morita’s famous early-1990s book, “The Japan That Can Say No,” was plagiarized from Japan’s World War II leader Tojo.
_________________
UPDATE: Geez, there’s more–add violating personal privacy to the offense list:
….. computer expert and co-author (Mark Russinovich) of the Sysinternals blog discovered the rootkit and figured out where it had come from.
Then he discovered what it did. Besides installing a player for the CD and copy-protection software, Sony also hid other code that contacted the company every time a user played a song.
Yes, you read that right.
_________________
Nov. 18: Outside the Beltway Jammer.
