News Security Researcher Finds Coldplay Lyrics in Kingston SSD Firmware

[Admin]

Kingston SSD firmware released in early 2020 contains lyrics to Coldplay's 2002 hit 'The Scientist.'

Security Researcher Finds Coldplay Lyrics in Kingston SSD Firmware : Read more

 

[edzieba]

Padding bytes can be zeroes, noise, or eastereggs, as long as it pads out the total length.

 

[Deleted member 2731765]

Okay, this is interesting.

So what's next ? METAL and Rock band lyrics embedded in UEFI/BIOS ? 👍

View: https://www.youtube.com/watch?v=RB-RcX5DS5A&ab_channel=Coldplay

 

[helper800]

Padding bytes can be zeroes, noise, or eastereggs, as long as it pads out the total length.

Why would anyone need or want padded data in a firmware update?

 

[bit_user]

Well, it's certainly a departure from good ol' Lorem Ipsum.

I'd be mildly concerned about copyright infringement claims, if including something like lyrics to a pop song.

 

[Dr3ams]

If you play it backwards...a sinister voice will blaspheme in Latin.

 

[RandomLegoBrick]

internal programmer love drama

 

[JTWrenn]

Why would anyone need or want padded data in a firmware update?

They can without any issues is what they are saying. The way data is stored it wouldn't even take up more space, just fill in the edges of blocks that are already taken up. Doesn't hurt it, doesn't help it, just extra space. Like writing in the margins of a sheet of paper. No matter what the whole paper is going to be used to carry your writings...there is just extra space that is being used to transport your words and is filled with nothing so you can add a note and not change a thing.

 

[Sluggotg]

Back in the Amiga Days, I looked at a lot of Boot Blocks on Amiga Game Disks. Some had interesting messages. Cussing you out for looking at the boot block etc. (They assumed anyone looking there was a Hacker trying to break the copy protection). I don't mind these things, but it does bring up the possibility of something sneaking through that could be some form of Malware. Looks like they were having some fun.

 

[Elusive Ruse]

I'd be more impressed if they had inserted Kingston Wall lyrics instead of Coldplay.

 

[mitch074]

If it's pure padding, i's no skin off anyone's nose. It could also be an easy way to make reading through the firmware a bit more difficult - if you pad stuff with zeroes or Lorem Ipsum, it's easy to track... A Coldplay lyrics sheet is far less likely, and should be harder to locate - even harder than random noise.

 

[kyzarvs]

Back in the Amiga Days, I looked at a lot of Boot Blocks on Amiga Game Disks. Some had interesting messages. Cussing you out for looking at the boot block etc. (They assumed anyone looking there was a Hacker trying to break the copy protection). I don't mind these things, but it does bring up the possibility of something sneaking through that could be some form of Malware. Looks like they were having some fun.

Not to mention the Rock Lobster boards (B52's album name). I still have a couple

 

[edzieba]

Why would anyone need or want padded data in a firmware update?

If you use the classic firmware update method of flashing the entire memory contents in one go (rather than incremental updating using a self-flashing bootloader and flipover), the file to be flashed will typically match the capacity of the memory space being flashed. If the data you actually need to flash is smaller than the space available, then the remaining space is filled with padding values to make up the difference. e.g. if you have a 1KiB chip to flash, the hex to be flashed will be a 1KiB file even if you are only 'using' 256 bytes of that. The remaining bytes can be all zeroes, or random values, or whatever else you want, as the file will be the same size regardless.

 

[RodroX]

Just a random employee who cared nothing about copyright and just wanted to do it, because he/she could do it, knowing no one in the uppper chain will look that far/deep into the file (which is really not that far or deep).

At least they picked a nice piece of music and not some Shakira songs or the likes.

 

[Avro Arrow]

Well, at least it's a good tune! Could you imagine if they had put "Muskrat Love" in there instead? 😆

What's next, Superman's Song by the Crash Test Dummies?:

Both songs classify as soft rock and they're both kinda sad...

 

[AndyChow]

Why would anyone need or want padded data in a firmware update?

It's possible the firmware update requires a specific payload. Often it's padded with zeroes. I've seen firmware updates that want (say) 4096 characters, exactly. And if there is 4095, it won't update, because it thinks it only got part of the update. Since firmware updates can brick the system, it's not bad system.

 

[Watchful Fox]

Well, it's certainly a departure from good ol' Lorem Ipsum.

I'd be mildly concerned about copyright infringement claims, if including something like lyrics to a pop song.

Why? It's not the song, just lyrics. They own the copyrights to their performance but anyone can cover any song by crediting the original songwriter.

 

[bit_user]

Why? It's not the song, just lyrics. They own the copyrights to their performance but anyone can cover any song by crediting the original songwriter.

I'm no lawyer, but I'm sure pop song lyrics are always copyrighted, and I'm sure you don't get a pass to cover a song by simply crediting the author. The rights owner might not bother to sue you, but that's up to their discretion.

The only thing that's legally protected (in the USA) is doing an obvious parody or satire. Otherwise, you're running a risk of getting sued.

 

[Endymio]

I'm no lawyer, but I'm sure pop song lyrics are always copyrighted, and I'm sure you don't get a pass to cover a song by simply crediting the author.

You are correct. However, this particular usage would not be copyright infringement, no more than singing along to the song in the shower would be. A copyright suit has to show harm of some sort, generally a dilution claim, which would hardly apply here. The defense here would be the legal doctrine know as "incidental use". If a TV crew interviews someone in a bar, and a copywritten song is heard playing in the background, that's incidental to the purpose of the interview itself, and not infringment.

Furthermore, the Director of the US Copyright Office has explicitly stated:

"New technologies have made it increasingly apparent that not all reproductions are the same. Some copies are merely incidental to an intended primary use of a work, including where primary uses are licensed, and these incidental copies should not be treated as infringing..."

 

[USAFRet]

Just a random employee who cared nothing about copyright and just wanted to do it, because he/she could do it, knowing no one in the uppper chain will look that far/deep into the file (which is really not that far or deep).

And a proper code review before release would have caught this bit of idiocy.

 

[bit_user]

And a proper code review before release would have caught this bit of idiocy.

The thought occurred to me that what if this is baked into a unit-test or diagnostic self-test? It's not hard to imagine: someone is writing + reading-back a block of data and decided to use song lyrics from their favorite band, rather than an arbitrary non-repeating bit-sequence.

Wherever it exists, I'm certain modern SSDs have a codebase that's much too large for a top-to-bottom code review. I mean, that's like Nuclear Reactor stuff, or maybe airplane avionics. Where I work, we require 2-person review + signoff for all changes and even that process is more than burdensome enough.

 

[USAFRet]

The thought occurred to me that what if this is baked into a unit-test or diagnostic self-test? It's not hard to imagine: someone is writing + reading-back a block of data and decided to use song lyrics from their favorite band, rather than an arbitrary non-repeating bit-sequence.

Wherever it exists, I'm certain modern SSDs have a codebase that's much too large for a top-to-bottom code review. I mean, that's like Nuclear Reactor stuff, or maybe airplane avionics. Where I work, we require 2-person review + signoff for all changes and even that process is more than burdensome enough.

Right.

But at every step along the way, every intermediate build and test....code review.
Multiple eyes on the thing.

If their procedures are so lax that some asshat can inject this at a late stage, with no oversight....that is also bad.

 

[therosses]

What are the odds that bits randomly appeared to form lyrics to a song?

 

[bit_user]

What are the odds that bits randomly appeared to form lyrics to a song?

Not worth trying to calculate.

Even if the flash were far more error-prone, increasing the rate at which bit errors occur, in order to have structured data emerge, you need some sort of feedback loop to reverse entropy. Otherwise, entropy would increase, not decrease and what you'd get would be even more noisy than whatever initial condition they started with.

It's a generalization that applies across any sort of emergent phenomena, across fields as disparate as genetics, neural networks, and macro economics. Order simply doesn't emerge from chaos, without such a process at work.

 

[helper800]

What are the odds that bits randomly appeared to form lyrics to a song?

This would be a 'not impossible' but so rare to happen in nature that it is not worth considering. Lets say that the amount of bits required to fit this song was 50. The odds of them flipping to the exact sequence required for the song to exist would be 1 in 50! (factorial). This would be 1 in:
30,414,093,201,713,378,043,612,608,166,064,768,844,377,641,568,960,512,000,000,000,000
I believe in US numbering this would be 30 vigintillion, or a number followed by 63 zeros