Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Open Source AI

An AI Company Using Stolen Code Is Trying To Silence the Person Who Found Out (neowin.net) 80

segaboy81 writes: Jailbreak hacker @ronsoros found stolen, open-source code in voice.ai, a real-time voice synthesizer, but instead of complying with the open-source license, they are taking measures to shut him down. "After an extensive investigation into an installation of Voice.ai, it was found that the company had integrated code from Praat, a widely-used open-source speech analysis software, and libgcrypt, a cryptographic library, in its proprietary software without releasing the source code of its software or providing proper attribution," reports Neowin.

"In his blog, undeleted, @ronsoros details the steps that were taken to uncover the violations. [...] @ronsoros reached out to the company to let them know they were in violation of two opensource licenses and was promptly booted from the community's Discord server."
This discussion has been archived. No new comments can be posted.

An AI Company Using Stolen Code Is Trying To Silence the Person Who Found Out

Comments Filter:
  • The copyright holder, and nobody else, can sue them for copyright infringement if you distribute the copyright holders compiled code without adhering to the GPL license conditions. It is copyright infringement unless they got a different license - they might have got a different license by paying for it. They might even have bought the complete code including copyright.

    Whoever detected this GPL licensed code should contact the copyright holders, to find out that these guys don't have a different license,
    • by geekmux ( 1040042 ) on Tuesday February 07, 2023 @05:30AM (#63271799)

      ...Whoever detected this GPL licensed code should contact the copyright holders, to find out that these guys don't have a different license, and of course to inform the copyright holder. Don't accuse anyone of copyright infringement until you are sure f it.

      And yet, that could have all been clarified within a sentence or two in a discord chat.

      You really think the real reason for their actions is going to show legit behavior? Needless to say I'm not holding my breath. Far more of a chance Greed pulled some FOSS fuckery for gain than someone stumbling across a licensing issue.

      • clarified within a sentence or two in a discord chat.

        I see! The old SILENCE IMPLIES CONSENT!!

        • What consent?

          Silence in the face of a felony accusation that could be easily dismissed if false does tend to make one look guilty.

    • FFmpeg provides for just this

      https://trac.ffmpeg.org/query?... [ffmpeg.org]

      making it easy to report violations and, yes, to watch some squirm like worms.

    • by Entrope ( 68843 ) on Tuesday February 07, 2023 @07:23AM (#63271911) Homepage

      The first rule of "did they have a special license" club is: They did not have a special license.

      You can probably guess the second rule of "did they have a special license club" -- especially given that they banned him rather than explained why he was wrong.

      Yes, only the copyright holder can sue them for copyright infringement, but anyone can opine on the company's ethics and the wisdom of using software from copyright infringers.

      • From a practical perspective, a business may not want to work with another business that may soon face an injunction.

      • by godrik ( 1287354 )

        Yes, only the copyright holder can sue them for copyright infringement

        Sueing for copyright infringement you are probably right.

        But I wonder if anyone can sue for tort, because you should have access to the code, but you don't. (In the US, I imagine you can always sue; but would you have a leg to stand on.)

        • Yes, only the copyright holder can sue them for copyright infringement

          Sueing for copyright infringement you are probably right.

          But I wonder if anyone can sue for tort, because you should have access to the code, but you don't. (In the US, I imagine you can always sue; but would you have a leg to stand on.)

          IANAL, but I think the case would get dismissed immediately on the grounds that you have no right to the source code. Yes, the company has an obligation to give you access to it (assuming they distributed their product to you; the GPL does not require them to make it available to people who didn't receive their product or have use of their product through a SaaS setup) but that obligation isn't to you, it's to the copyright holder.

      • Also, FSF is one of the copyright holders in question here. There will be squirming, and there will be crawling to the cross.

      • > given that they banned him rather than explained why he was wrong.

        "When you tear out a man's tongue, you are not proving him a liar, you're only telling the world that you fear what he might say. -- Tyrion Lannister"

    • by Sique ( 173459 ) on Tuesday February 07, 2023 @08:02AM (#63271943) Homepage
      With GPL code, everyone who contributed to libcrypt and Praat, is a copyright holder and can sue.

      And everyone who legally got the program binaries from the company can sue for the source code, as stated in the GPL.

      • by guruevi ( 827432 )

        Not so sure, are they actually releasing a product with the source code embedded in it? You don't have to disclose anything if you're just running an app and happen to include a library, you also don't have to disclose anything if you're just running a website with an API. You only have to release modifications you made to source code you re-distribute in either compiled or uncompiled form.

        Beyond that, EVERY copyright holder has to agree to sue. Otherwise you're going to start breaking down the claim into t

        • by Sique ( 173459 )
          You as the copyright holder for the part you contributed can sue for exactly that part you contributed. And as stated in the GPL, as this is the only license that allows for anyone else to use your code, whoever uses the your contributed part of the code is bound by the GPL.

          The strength of the GPL is the fact, that you need at least some license to use someone else's code. So you either adhere to the GPL, or you don't use the code at all, because you don't have any other license.

          • by guruevi ( 827432 )

            Sure, but what is the resolution for people contributing 2 lines of code. You then have to prove they actually use that code and that your code is itself not derivative from somewhere else.

            • by Sique ( 173459 )
              Derivative code generates a new copyright, conditional to the the copyright of the previous holder.

              That means, if someone publishes code C, and you change it to code C', then you hold the copyright to C', but can only use it if the copyright holder of C agrees. If someone wants to use C', he has to get your permission, and you in turn have to get permission of the one holding the copyright of C to allow the third party to use your code.

              GPL solves the problem by explicitely permitting to create, use and

      • by nasch ( 598556 )

        With GPL code, everyone who contributed to libcrypt and Praat, is a copyright holder and can sue.

        The projects' contribution agreement/policy doesn't involve a copyright transfer of some kind?

        • by Sique ( 173459 )
          The copyright is in the GPL. There it does not say anything about the transfer of copyright.
          • by nasch ( 598556 )

            The GPL is a generic license, so it cannot possibly indicate who holds the copyright in what. That would be indicated elsewhere, such as in a project's contribution contract.

      • by pabs3 ( 259410 )

        > everyone who legally got the program binaries from the company can sue for the source code

        Hopefully this lawsuit against Vizio will set that precedent:

        https://sfconservancy.org/copy... [sfconservancy.org]

    • by phantomfive ( 622387 ) on Tuesday February 07, 2023 @09:38AM (#63272139) Journal

      Whoever detected this GPL licensed code should contact the copyright holders, to find out that these guys don't have a different license, and of course to inform the copyright holder. Don't accuse anyone of copyright infringement until you are sure of it.

      Legally speaking, in the US you are allowed to say things when you think something is wrong. We have freedom of speech.

      Morally speaking, if you see something wrong, you should speak up. Which is what Ron Soros did, and the company tried to silence him.

      Logically speaking, it's not hard to be sure that a library is being used. It's like you didn't even read the summary. Why are you knee-jerk defending a company that acts guilty and tries to silence him?

    • Is an alternative license even possible?

      Do the infringed projects require contributors to transfer copyright to the primary developers? Or at least grant them the right to sub-license their code under arbitrary terms?

      Because few do, and without that it's all but impossible to offer alternative licensing to GPLed code.

      • Is an alternative license even possible?

        Do the infringed projects require contributors to transfer copyright to the primary developers? Or at least grant them the right to sub-license their code under arbitrary terms?

        Because few do, and without that it's all but impossible to offer alternative licensing to GPLed code.

        Dual licensing is a thing. If they were subject to a different license, then they could have explained this. Booting someone from the discord server suggests they probably didn’t have one.

        • Yes it is, which is why I asked. Because generally that only works if it's set up that way from the beginning. Once you've got dozens or hundreds of possibly poorly documented contributors it becomes almost impossible to change license terms, because you have to track down every past contributor to get permission first.

      • Is an alternative license even possible?

        My last company paid for lots of GPL-licensed code to the copyright holder / developer. So we had support, and we had software where we absolutely didn't want anyone to have the source code. Especially some 3 or 4 letter agencies.

        • It is possible in a general sense, IF the project is set up to allow for dual licensing.

          Most are not, and it's hard to change license terms after the fact since you need permission from every past contributor to do so.

    • by pabs3 ( 259410 )

      There is an alternative way to sue for compliance being tried in the Software Freedom Conservancy vs Vizio lawsuit. The lawsuit against Vizio is interesting because they aren't suing as copyright holders, but as recipients of GPL binaries from Vizio, they say that they are a third-party beneficiary of the GPL and thus they ask the court to force Vizio to release the relevant source code. Thus they create the possibility for any user of GPL binaries to sue for source code release.

      https://sfconservancy.org/co [sfconservancy.org]

  • by sg_oneill ( 159032 ) on Tuesday February 07, 2023 @05:09AM (#63271785)

    The irony of the "you cant decompile this" clause in the offending software is, its clearly there to stop people from uncovering the GPL violation. But because the GPL forbids such clauses, the "No decompilation" clause can be safely ignored, because it isn't valid as the GPL which applies to *all* the code in the offending software specifically overrules it.

    Folks, if they don't hand over the source code, they are committing copyright theft. And aint that a grand thing. Sometimes the masters tools really can deconstruct the masters mansion.

    • The irony of the "you cant decompile this" clause in the offending software is, its clearly there to stop people from uncovering the GPL violation. But because the GPL forbids such clauses, the "No decompilation" clause can be safely ignored, because it isn't valid as the GPL which applies to *all* the code in the offending software specifically overrules it.

      Folks, if they don't hand over the source code, they are committing copyright theft. And aint that a grand thing. Sometimes the masters tools really can deconstruct the masters mansion.

      Please study some law, and stop before someone takes your advice and gets into trouble. Just because a piece of software is found to contain 10 lines of GPLd code does NOT mean GPL somehow magically applies to code that contains it. Yes, the voice.ai is committing copyright violation, no, that does not mean you're allowed to treat their code as if it was GPLd. *If* the copyright holders of the GPL code go to court over this, the default punitive measure is going to be for voice.ai to pay damages and to remo

      • Re: (Score:3, Interesting)

        by drinkypoo ( 153816 )

        It doesn't matter, you can't prohibit decompilation or other forms of reverse engineering for purposes of interoperability or for determining whether someone has broken the law. Those purposes are protected by law, and a contract can't override that. You can refuse someone the right to use your other resources, though, which is what they did — so kicking him off their discord is legal, but also a de facto admission of guilt.

        • Re: (Score:2, Interesting)

          by blahabl ( 7651114 )

          It doesn't matter, you can't prohibit decompilation or other forms of reverse engineering for purposes of interoperability or for determining whether someone has broken the law. Those purposes are protected by law, and a contract can't override that.

          They are protected by law in jurisdictions which guarantee right do decompile, and not elswhere. OP was however making the point that they are provided by GPL because someone included a piece of GPL code in it. Well, no, they're not.

          You can refuse someone the right to use your other resources, though, which is what they did — so kicking him off their discord is legal, but also a de facto admission of guilt.

          How the hell? If some random jerk starts making and spreading false accusations against me, I'm expected not to kick him off my social media because doing so would be "admission of guilt"?!

      • by Opportunist ( 166417 ) on Tuesday February 07, 2023 @06:54AM (#63271867)

        I don't know about your laws, mine state outright that I have the right to decompile code to provide interoperability and to show that a violation of a law has been committed. I must not distribute that decompiled code and I must not facilitate the removal of copy protection mechanisms, neither may I disclose anything I found that doesn't deal with interoperability or a breach of law, but decompilation by itself is not the problem.

        The offending party can either broker a fitting license that allows them to use the code without disclosing their own, they may remove the offending code or they may put their own code under the GPL. These are the three options, the choice is theirs, though.

      • Just because a piece of software is found to contain 10 lines of GPLd code does NOT mean GPL somehow magically applies to code that contains it.

        It literally does. Five notes from a song are enough to trigger a copyright suit. Google lost a copyright case involving 9 lines of code to Oracle (they won the rest of the case, but paid a fine for those nine lines in the rangeCheck() function).

        There may be a defense, but by default they are in violation of the copyright and licensing agreements. The remedy is either for them to pay a fine or release the source code. They can try to win in court, but the fact is they literally copied the code, so it's a

        • by Pieroxy ( 222434 )

          Just because a piece of software is found to contain 10 lines of GPLd code does NOT mean GPL somehow magically applies to code that contains it.

          It literally does. (...) The remedy is either for them to pay a fine or release the source code.

          So, you agree with the poster you're replying to ? It does not?

      • Actually their code must be GPLed if it depends on GPLed code. If on the other hand the code they depended on is LGPL, then they do not. At the same time, transparency that they are using these libraries would be in their interest.

        The fact they are not engaging in discussion and being forthright suggests they got caught with their hand in the cookie jar.

        • Actually their code must be GPLed if it depends on GPLed code.

          No. It must be GPL licensed if it is distributed AND they don't want to be sued for copyright infringement. If you don't mind losing a court case then you don't have to give source code to anyone or license under GPL. You make your decision, and you suffer the consequences, but the decision is yours.

      • by Immerman ( 2627577 ) on Tuesday February 07, 2023 @10:30AM (#63272331)

        It's true that the GPL doesn't automatically apply to the entire code base... but that's usually how it shakes out in the end.

        Firstly because nobody infringes over ten lines of code. Even if they did, nobody could detect it anyway unless the code was made public.

        Secondly, and more importantly, copyright infringement has some serious penalties attached - I'm coming up with two different results from Google -
        - up to $250,000 or 5 years in prison, or both, which I recall from the RIAA rampages decades ago
        - at the infringed parties choice either damages PLUS all profits from the infringing works that can't be proven to be attributable to other factors, OR statutory damages of up to $30,000 per infringed work - rising to $150,000 if the infringement was willful, which includes any infringement occurring after being (officially?) notified of the infringement, so they're on the hook if they sell even one more copy.

        Combined with the fact that the collaborative nature of open source means that any infringement likely encompasses many independently copyrighted works... and those kinds of numbers can easily bankrupt a company. Possibly even worse, if you've been previously convicted of copyright infringement the penalties increase dramatically, giving infringers added incentives to settle and avoid a first conviction.

        Which is why almost every instance of GPL infringement ends with the entire code base being released under the GPL, as required by the license. The community has thus far been willing to waive claims against past infringements if they come into compliance. The alternative is removing the code (which can often be crippling to core functionality) and risking the liquidation of your company and even jail time for the infringements you've already committed.

        • by nasch ( 598556 )

          I'm coming up with two different results from Google

          That's because the first one is for criminal copyright infringement, and the second for civil. Almost all copyright cases are civil.

          Combined with the fact that the collaborative nature of open source means that any infringement likely encompasses many independently copyrighted works...

          Generally, each contributor's contributions don't get their own separate copyright. The whole project is a single copyrighted work.

          • >Generally, each contributor's contributions don't get their own separate copyright

            I think you're thinking of things like movies or commercial software, where the creators are usually all work-for-hire, which means that the copyright to their work automatically belongs to their employer. Even in a movie though, the copyright to the music usually remains with the musicians, it's only been licensed for inclusion in the movie.

            That's the entire reason some projects require copyright transfer with code contr

            • by nasch ( 598556 )

              It also means that every contributor whose code was infringed can level a separate legal claim against the infringers.

              Has this ever been tested in court?

              • Yes. In the sense that every time someone has filed a infringement claim against a GPL violatior and not had it thrown out of court for lack of standing, they established that their partial claim to the work's copyright gave them standing to file suit.

                I'm not sure a GPL violation case has ever actually made it all the way to a ruling though - lawyers tend to push their clients hard to settle as soon as it's obvious they have no chance of winning. I don't think anyone has ever felt the need to bring a secon

      • by sg_oneill ( 159032 ) on Tuesday February 07, 2023 @11:39AM (#63272537)

        Please study some law, and stop before someone takes your advice and gets into trouble. Just because a piece of software is found to contain 10 lines of GPLd code does NOT mean GPL somehow magically applies to code that contains it. Yes, the voice.ai is committing copyright violation, no, that does not mean you're allowed to treat their code as if it was GPLd. *If* the copyright holders of the GPL code go to court over this, the default punitive measure is going to be for voice.ai to pay damages and to remove the offending code, not some magical court-enforced GPLing of the whole thing.

        Its not a few lines of code. Its the core of the whole program.And the case law is really clear here.

        You are correct that the GPL wont "infect" the code until a court rules otherwise. However since the bulk of the code is the open source product, I'd argue strongly that the primary license here isn't their one, but the one belonging to the majority of the product, the GPL3

        (And I spent enough time working in the DOJ to feel confident I can safely ignore your "please stufy some law")

    • Stop propagating the copyright maximalists' disinformation. Copyright infringement is not theft - nothing is taken.

      It's copyright infringement - a completely unrelated crime.

      • In this case it is theft. Copyright infringement = sharing, theft = depriving the owner. The latter includes stuff like filing false strikedown notices or, like in this article, failing to provide source.

        • The owner in the latter has not lost anything; they still have all their code to use. If you donâ(TM)t consider sharing a loss (of a potential sale) then not getting some more code isnâ(TM)t a loss either. Either copyright infringement is a loss or isnâ(TM)t; you canâ(TM)t parse it based on individual beliefs or preferences.
          • The owner is entitled to the modified version which they don't get. This is an actual (not just potential) loss.

            • The owner is entitled to the modified version which they don't get. This is an actual (not just potential) loss.

              Jut as an owner is entitled to payment for a pirated product. If you consider one theft so is the other.

        • >failing to provide source

          Providing the source to any derivatives is the payment required by the GPL in order to receive a license for redistribution.

          Assuming the allegation is true, they failed to pay for that license. Which means they have no license, and are committing copyright infringement by copying it.

          That doesn't make it theft - they didn't take the original code away from the developers who wrote it. They just copied it without permission. Exactly the same as every person who's ever illegally

        • To further clarify:

          Depriving the owner of the thing you took = theft

          Depriving the owner of anything else = possibly other crimes, but NOT theft.

  • The reason you'd generally be banned/silenced for sharing such information is that people are dumb. Announcing this in a public space makes your information sharing an attack on the reputation of the author(s). It doesn't matter whether the technical information is factual. It will be interpreted by the public in ways which harm the reputation of the author(s).

    As others have said, this technical information is not of interest to the general public. It's of interest to programmers, most of all to the origina

    • Re:An attack? (Score:5, Insightful)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Tuesday February 07, 2023 @07:24AM (#63271913) Homepage Journal

      As others have said, this technical information is not of interest to the general public

      I want to know if someone I'm doing business with is a thief (or equivalent.)

      • Which we still don't know for certain. The original authors of the source-code that was claimed made up derivative portions in the voice.ai binaries could possibly take this to court and find whether that's the case in discovery ... but most likely this would never be made public knowledge due to the potential harm to voice.ai's reputation.

        The law is a complex field much like any engineering discipline. It's foolish to believe the law is objective, it's really much like rational thought: emotional and logic

        • 1) I am a human, I have emotions. If you are a very small shell script, then you might not understand that.
          2) It's also logical to care when people act in bad faith, because that kind of thing causes harm. That's why we have laws against it.

          • All you're doing is demonstrating what I said. You're making an emotional appeal and assuming the guilt of the accused, which has damaged their reputation.
            • False. I made an if-then statement, and you were triggered by it, and as such failed to evaluate it. Your parser is broken.

              • You appear to have zero understanding of the subjective interpretation of language or the obvious biases you exhibit for all to see.
                • by Pieroxy ( 222434 )

                  You appear to have zero understanding of the subjective interpretation of language or the obvious biases you exhibit for all to see.

                  May it be possible that he has a different understanding than yours - instead of his being zero and you a full understanding? And is it possible no one is wrong in this argument, but you're just arguing because you're seeing things differently?

        • I think in this scenario the company could fill out a transparency report, if they believe they did no wrong. If they don’t fill out such a report, then trust will be hard.

        • >Why would you want to know if the person you're dealing with is a "thief"?

          A few reasons off the top of my head:

          - Because if they're willing to screw over the people that made a (substantial?) part of their product, they're likely just as willing to screw over their customers for a quick buck. Doing business with known criminals has always been considerably more risky than with law-abiding businesses.

          - Because I'm likely to lose legal access to the infringing software I bought from them, since they had

    • As others have said, this technical information is not of interest to the general public. It's of interest to programmers,

      Why do you separate programmers from the general public. Nerd lives matter!

  • Surely, the sequence [post disclosure about company's software]] [banned from company's server] is CONFIRMATION, not SUPPRESSION.

    When are CEOs/ CTOs, PR and Legal departments going to realise this?

  • by Tom ( 822 ) on Tuesday February 07, 2023 @11:24AM (#63272493) Homepage Journal

    and was promptly booted from the community's Discord server.

    And there's your evidence that they acted with malice, not ignorance. Should be a pretty easy case after that. Let's nail 'em to the wall.

    • The two acts can be separated. The improper use of GPL code can be due to ignorance. The booting from the Discord server can be due to malice.

      You can do something by accident and then handle it badly. But both could just be due to malicious intent.

Marvelous! The super-user's going to boot me! What a finely tuned response to the situation!

Working...