Did Sony 'rootkit' pluck from open source?

Copy-protection code appears to have tapped an open-source project, raising questions about copyright, software experts say.

3 min read
Controversial copy-protection code used by music publisher Sony BMG on CDs appears to have tapped an open-source project, raising questions about copyright, software experts said Friday.

The "rootkit" piece of XCP software, developed by British applications maker First4Internet and used by Sony BMG to restrict copying and sharing of music CDs, is already highly controversial because it acts like virus software and hides deep inside a computer where it leaves the backdoor open for malicious hackers.

Sony BMG earlier this week said it would recall some 4.7 million CDs with the software, after the discovery of the first computer viruses last week that took advantage of the weakness.

The XCP program will installs itself on Windows-operated personal computers when consumers play one of 49 CDs from Sony BMG. The program forces consumers to use a music player that comes with the program.

This music player contains components from an open-source project, an MP3 player called LAME, it has emerged.

"Multiple software components on the CD have references to the LAME open-source MP3 code," Finnish software developer Matti Nikki said in an e-mail.

After unraveling the code, others found similar evidence.

"We can confirm that at least five functions in the XCP software are identical to functions in LAME," said Thomas Dullien at security software firm Saber Security in Bochum, Germany, which specializes in the analysis of complex software.

Open-source software, if used, needs to be identified as such, so that it can be freely shared with others. Developers on Slashdot.org and other Internet bulletin boards could not find an open-source reference in the copy-protection software.

If open-source software is tightly integrated into a single executable program, the whole application has to become open source software, even open source software such as LAME whose MP3 encoder is licensed under the more relaxed Lesser General Public License (LGPL), a lawyer said.

"That's the flipside of open source: If you don't respect the open-source rules, the old regime of copy protection comes back in full force," said attorney and Internet specialist Christiaan Alberdingk Thijm at law firm SOLV in the Netherlands.

There was LAME and other LGPL code in the program, and significant amounts were tightly integrated into the executable program, Saber Security said.

"We can confirm the existence of significant amounts of code from FAAC (which is LGPL) in the executable...These functions are part of ECDPlayerControl.ocx, thus directly integrated into the executable," Dullien said in an e-mail.

First4Internet, which sold the XCP software program used by Sony BMG on its CDs, declined to comment after repeated requests since Monday.

Sony BMG, which also declined to comment, has positioned itself as a defender of artists' rights.

It re-emphasized last week that copy-protection software is an "important tool to protect our intellectual property rights and those of our artists."

Responding to public outcry over the unsecure software, the music publishing venture of Japanese electronics conglomerate Sony and Germany's Bertelsmann said last week it would temporarily suspend the manufacture of music CDs containing XCP technology. This week, Sony BMG went a step further and announced it would recall millions of CDs with the rootkit.

Microsoft's antivirus team said Tuesday it would add a detection and removal mechanism to rid a PC of the Sony DRM copy-protection software, because it jeopardized the security of Windows computers.

Sony BMG last week was targeted in a class action lawsuit that asserts that company had not disclosed the true nature of its copy-protection software.