Sony has set the lawyers on hackers who figured out a way to run unsigned code on PlayStation 3 consoles without the use of a dongle. The hack, made possible by the discovery of the private key Sony used to sign its software, was demonstrated by a group called fail0verflow at the Chaos Communication Congress in Berlin late last …
"Sony may attempt to reestablish control of the situation by updating PS3 console software over the net. "
if they do that, all the currant games wont work. wrong key, you see....
with regards to the lawyers, this is a dangerous tactic by sony, if they lose they open the door for every hacker. look at jail broken iphones.
Don't you just love them. Their only knowledge of cryptography and PS3 hardware is what they read on some internet forum.
Sony have already said they can block this. It's also been acknowledged that Sony can also detect it (so expect permenent console bans to kick on pretty soon), and it's also illegal under DCMA.
I think the onlt jailbreaking that idiot George Hotz will be doing soon, is with a spoon trying to scrape away the mortar from between the bricks in his cell..
I hope it was worth it....
There are things they could do
The most obvious ways Sony could rein things in a bit would be:
* Add a challenge / response during PSN sign on. e.g. asks firmware to checksum some arbitrary range of bytes in its fw or memory to proceed. Wrong answer gets flagged.
* Embed silent audits into fw updates and into games. There could be multiple audits so it's not a simple case of patching a few lines of assembly. E.g. an audit might be done in obscure corners of the XMB, e.g. change wallpaper and an audit fires off. Audit would search for popular homebrew / pirate apps such as iso loaders. Results of audits get sent up to PSN or Sony via any active network connection.
* Start padding out game data with garbage, duplicate data, etc so games fill a 25Gb, 50Gb or 66Gb disc. (Sony has a format in the works for 66Gb)
* Banning anyone stupid enough to fail an audit or run cracks and sign into PSN.
* Move more content online so PSN becomes more necessary
At the end of the day none of these things are foolproof. The intent is to detect piracy and slow down / discourage it. Even that is worthwhile if it puts days or weeks between games being cracked, if ever.
On the flip side they could also foster goodwill by:
* Recognize things have gone way beyond the OtherOS removal so reinstate it. Split the pirates and homebrewers into 2 camps
* Step up firmware updates again with new functions. Keep crackers on the backfoot by providing reasons for users to stay legit.
They could block it...
Have been thinking about this with my tongue out for a minute or so and I've come up with a solution Sony could use.
Essentially, the problem is that if they change the encryption keys, all previous games will likely now fail to run (you have to block any code that has been signed by the old key - except the legit stuff, which you've no real way of identifying).
However - most games auto-update (or alert you to new versions) with patches. If Sony can get all their publishers to push out a new patch, job done. The problem is getting all the publishers to support a patch for their back-catalogue - no mean feat, especially as some will have been orphaned by now. Alternatively, you could have a whitelist of approved games that have the old encryption key - which assumes Sony know their back catalogue inside out (presumably they do).
Or lastly, they could just reimplement the "Other OS" option, the removal of which seems to have caused this hacking crusade in the first place. Especially as I doubt they have a leg to stand on by suing these people.
"Or lastly, they could just reimplement the "Other OS" option, the removal of which seems to have caused this hacking crusade in the first place. Especially as I doubt they have a leg to stand on by suing these people."
Yes. I'm pretty sure that fail0ver and other real hackers will simply stand down if they re-enable OtherOS ... which is the reason they started hacking at the PS3 in the first place!
@Bedroom Coders: You fail at crypto even more than Sony. The math involved in cracking the PS3 is not trivial, breaking asymmetric keys isn't trivial, and getting yourself into the CCC isn't something that "skreept keedz" would be able to do. GeoHot did basically take the fail0verflow tools and do some cheap jailbreaking, but it wouldn't have been possible without fail0ver's research. In fact I don't have a good opinion of him, as he actually enabled piracy in the PS3, which the fail0ver crew *didn't* do because they didn't want to enable pirates, only restore OtherOS functionality.
Detect it, or "detect it"?
"Sony have already said they can block this. It's also been acknowledged that Sony can also detect it"
Can they actually detect it, or is this just more FUD like the cable TV companies used in the '80's to (attempt to) scare people away from plugging in more than one TV?
A few notes of counter
"Start padding out game data with garbage, duplicate data, etc so games fill a 25Gb, 50Gb or 66Gb disc. (Sony has a format in the works for 66Gb)"
Garbage data is easily compressible (unless it's highly random, non-repeating strings of bits) or is simple enough to create a "PS3 ISO compressor" that simply reverses whatever method they use to detect and skip over the garbage data and remove it, then on-the-fly dump the "non-garbage-padded" ISO to a bzip or the like compressed file. On the receiver's end, they would feed the compressed file back into the ISO compressor tool to reinflate it and add the garbage back in. All in all, unless it's real data, it can be compressed (usually). The compressor might even strip the encryption on the files (if needed) to make the actual data more compressible and reapply the encryption on the "inflate" side, since the key is known.
As for things like "Add a challenge / response during PSN sign on. e.g. asks firmware to checksum some arbitrary range of bytes in its fw or memory to proceed. Wrong answer gets flagged." it would be simple enough to have your new "rogue" code respond with an authentic checksum response or the like. Basically, if the response is generated console-side, it can be duplicated. As well as "audits" being defeated.
But you recognize this by stating: "At the end of the day none of these things are foolproof." but fail to mention that it is fairly trivial to the point of worthless to attempt to incorporate the measures.
"Yes. I'm pretty sure that fail0ver and other real hackers will simply stand down if they re-enable OtherOS ... which is the reason they started hacking at the PS3 in the first place!"
On the other hand though, they may carry on - at this point the die has been cast and Sony have shown they will happily drop the axe and force an ultimatum of PSN or OtherOS. Who's to say how long it would stay if they did reverse their decision?
Sadly, not that they'll change their mind and restore it anyway..
It's a *CIVIL* lawsuit. CIVIL == no jailtime.
Also the raisin and sultana based games for PS3 won't work.
Garbage data could be encrypted random bytes which by definition are not compressible at all. Even legit data could be encrypted on disc so it too is essentially random and uncompressable. Every game could do this, hiding their keys and so forth making it a chore to figure out which files are needed and which aren't. The purpose is not to necessarily produce a crack proof scheme for the game but to put delays between the time a game is released and the pirate copy appears. Of course pirates might release the entire 66Gb dump to P2P but I bet very few people would be bothered to download it.
As for PSN challenge response, the whole point of making an arbitrary challenge is so the cfw *can't* guess. One time it might ask to checksum a particular file, another time to send register state, another time a randomized range of bytes in memory. Sony would have the advantage of knowing which challenges would fail on the bogus firmware and craft their challenges accordingly. The purpose is that unless the custom firmware perfectly answers the challenge each time the user is going get flagged and probably banned.
And no the measures are not worthless or trivial. They're exactly the sort of things that Sony will have to do to put any measure of protection back into their system. Microsoft already does similar things in XBL which is why we see occasional waves of bannings. They are a deterrent.
The intent is not to make the system cracker proof but to deter and put a huge burden on crackers so that every firmware release, every game release takes an inordinate amount of time to break. Time means more legitimate sales of the software which at the end of the day is what Sony (and its publishers) are concerned about losing.
@DrXym (first post)
I'm pretty sure a lot of games are already padded with garbage anyway - Dante's Inferno on the PS3 springs to mind.
Re There are things they could do
Covertly collecting data on other peoples computers is illegal and will land Sony and co. in deep shit if they start scanning. The resulting lawsuit from the masses would send Sony to an early grave.
And the raisin for that?
Dont worry. I already got me coat...
>As well filing the lawsuit, Sony may attempt to reestablish control of the situation by
>updating PS3 console software over the net.
How will that work? even assuming they could change the root keys, wouldn't that turn your existing PS3 discs into expensive coasters?
From what I can see this is pretty much game over for PS3 security.
Wouldn't that turn your existing PS3 discs into expensive coasters?
Yes it would.
Updating is not possible as the key is hardcoded into a chip. I'm just surprised that no-one had milled the chip down and microscoped it sooner.
They'd simply have to lock out ALL forms of firmware upgrade that cannot be authenticated (meaning update-by-USB would be killed). That means updates would come either through game discs (and the PS3 contains HARDWARE lockouts to prevent BD-Rs being used--only official PRESSED discs would work) or through PSN (which will have separate authentication channels--without Sony's SSL certificate, you can't MiTM an SSL-based online update).
The Update Method
The "PSN Update" isn't done by SSL. In fact, it is a crappy txt file that says which is the latest FW version, and gives the link to download the latest FW. Any skilled IT person could simply set up his own "PSN Update" server and point it to a custom FW file. It just won't be possible to stop these things.
If anything else fails, the hardware flashing mechanism will work. The ROM keys were compromised.
So just update it.
Just include the update that FORCES using SSL for future updates. Once that one update goes in (via network or game discs), the update gets locked down. The update can also look for and scrub clean backdoors and frontends.
And yet again...
... is the crushing pointlessness of DRM highlighted for all to see.
"Piracy BAD", yes maybe but you don't stop it by annoying your paying customers rather than the people you're trying to stop. Any more than you stop a charging elephant with a sheet of cling film.
It has the opposite effect if anything
Bad DRM can drive people to getting illegal versions (I think Spore was a fantastic example, friend of mine bought the real thing, struggled so much with the security that he just put the dvd on the shelf and cracked it).
Most games these days have the security broken before release anyway, those lucky few that don't are usually done within a few days of release, it stops nothing, but makes honest people wonder why they are getting punished.
Which paying customers are annoyed?
DRM has kept the PS3 piracy free for 4 years so it's clearly not pointless. Compare and contrast it to piracy on the Wii & DS for example. Where Sony screwed up by accounts was by using a weak random number generator which made the private key predictable from the public key. With the private key crackers & pirates are now able to sign arbitrary code so it passes security checks. If the key had not been weak this would have been considerably more difficult to do.
As for annoyed paying customers, I doubt the removal of OtherOS affected many people at all. Certainly legit customers shouldn't be annoyed by Sony going after crackers.
As a paying customer...
"As for annoyed paying customers, I doubt the removal of OtherOS affected many people at all. Certainly legit customers shouldn't be annoyed by Sony going after crackers."
yet the OtherOS removal pissed off the kind of people that were skilled enough to crack the PS3. It's as stupid as that dude who wanted to burn Korans in the US. You're asking for it.
As for me? I was one of those "rare" dudes who buys PS3 games *and* uses the PS3 Linux for research purposes. If you don't know the difference between CellBE and craptel x86, you're too dumb to even argue the 'buy a PC' FUD. We were hit by OtherOS removal precisely because we *do* play games, but we can't because updating will kill Linux support.
Really. Is someone playing games *and* running Linux too much of a stretch??
I've used Other OS and YDL and the Cell SDK. That doesn't mean I can't recognize that the number of people who likewise were miniscule and diminishing and it's removal hardly affected anyone at all. Of the people who did use Other OS, I expect a large number would have ended up in research labs where they wouldn't be updating their firmware anyway.
So while regrettable, let's not pretend many people were aggrieved by removing OtherOS. It certainly doesn't account either why anyone would get riled by crackers whose intention is plainly, absolutely not to reinstate OtherOS but to produce custom firmware whose primary purpose will be piracy. It only takes a glance at other compromised systems, such as the Wii, DS, and PSP to recognize what utter bullshit it is when people cite "homebrew".
i read thet it was nintendo (well an employee) who let the cat out of the bag....
It is my understanding that somebody sent a wii back to nintendo for service and when it was returned a "service disc" was left in the wii... It just happened that this wii belonged to someone who had a clue.... if it was returned to 99.999% of all other nintendo wii owners then it ether would have gone on a shelf / in bin or sent back to nintendo...
its from this disk that all the unsigned software that has spawned on the wii had evolved...
also the wii is totally pownd now by the hackers..
A bit pointless
While I can see why Sony feels the need to sue (in order to put off future disclosures and leaks), it seems rather pointless to get an injunction to stop the code being published. It's "out there". There's no going back, regardless of what any court says.
As for all the comments that have been previously posted along the lines of "a new key in the PS3 would stop all existing games from working", well, I'm sure it's not beyond the whit of Sony to put TWO keys in there and use the second key for all new stuff? Or put in a more flexible key system to future-proof it againt any future leaks. Just a wild, shot-in-the-dark guess.
If the original key is still there the hack still works...
It seems that is true of any solution that doesn't trash existing stuff...
That won't work either.
No, they can't add keys through firmware updates. The ROOT keys are NOT inside the system!
The Good, the Bad ...
While I suppose it'll be nice to be able to run Linux on a PS3, it won't be so nice playing online games against cheat-code-equipped players.
Game over in fact.
Shame, because it was quite fun for a while.
IDK about that
people havent thrown away their xboxes despite the endemic cheating on that platform.
paris, because she.. speared through a wall. or something.
Yes but ...
> people havent thrown away their xboxes despite the endemic
> cheating on that platform.
I never said they would throw away their consoles. But I did suggest they'd have less fun playing online against cheat-equipped players.
That was my point.
doncha just luv 'em?
The same company who put spyware in their CDs to stop people copying them,
want to punish people who, for free and for fun,
want to multiply the potential of hardware they paid for and now own
I might get a PS3 so I can do this
Actually they want to stop people from ripping and pirating games which are then signed so they validate and run through the PS3's security checks. I seriously doubt Sony gives a flying fig about "homebrew".
Well, if that is the case it's those who rip and pirate games they should be going after not these guys.
If what they've done is really against the law, then you have a really bad law over there
That is what they're doing. The two camps are indistinguishable. It is absolutely clear from other cracked systems (e.g. the DS & PSP) that homebrew is just a convenient excuse for pirates and that the cracks are overwhelmingly used to enable piracy.
It's clear from the number of thumbs down people are flagging me with that they can't comprehend this simple fact. Sony give a crap about the issue because they'll lose hundreds of millions to piracy, not so some guy can write an MKV player.
If what you are saying is true, then fair enough, and you don't deserve the downvotes.
I can see how pirates would have a vested interest in cracking the systems, but then why publish it?
I think these people are simply the bedroom geeks who want an open system for experimenting and linux etc.
"It's clear from the number of thumbs down people are flagging me with that they can't comprehend this simple fact."
Or maybe they don't think that just because you say something is a fact, it must be so.
Evidence or GTFO.
Wouldn't that turn your existing PS3 discs into expensive coasters?
Yes, but I suppose Sony could offer to replace original discs, presumably physically validating the discs. Wouldn't be that expensive.
They can update the firmware.
What almost everyone is missing here, is you still need to use the original jailbreak to kick all this off, and even then, there are restrictions in the bits they havn't uncovered. I'm guessing there are backup mechanisms in place, and frankly I believe Sony not only have more money, more credibility but more skill than 12yr spotty bedroom coders.
An excellent idea....
"Yes, but I suppose Sony could offer to replace original discs, presumably physically validating the discs. Wouldn't be that expensive."
Extremely I'd imagine and hope, making it a fantastic idea. Once they've gone through the cycle a dozen or so times over say 3 or 4 years as each successive iteration gets broken in it's turn they might get the point that DRM doesn't work and that it has exactly the opposite effect that they intend.
For that to work
Sony would have to replace every disc sold so far and those sitting on shop shelves/in the distribution channel. How long would that take? How pissed off would people get if everyone had to send their entire game collection to sony and wait a couple of months to get new copies back.
I'm not sure how many games have been sold to date but the postage would have to be paid (there and back), storage for all of them, new media, printing, remaking the games, 100's of peoples wages, storage for the new games, loss of sales, no doubt a class action suit in america, some sort of compensation for everyone and probably 100 other things i haven't even thought about.
It would cost them a fortune
Wrong, this new method needs a file on a USB stick in a certain directory, run update from stick one hacked PS3.
Breath in, breath out, now calm down
Let's step through this nice and slowly ok.
The root key is held on a non flashable hardware chip in the console. To revoke the key means replacing the hardware.
If they push the firmware onto some other chip in the console, they need to sign the code with the key, thats the key that has been compromised btw.
You then go and do your own thing, and guess what, the console accepts your input as legitimate as it's signed with the key that Sony cannot revoke, cause it's burnt into the ROM.
As for the seething about 12 year old spotty coders, I assume you haven't actually spent any time validating the credentials of the guys who performed the analysis?
"but more skill than 12yr spotty bedroom coders."
Well, obviously they haven't, or we wouldn't be reading this story.
You don't need any jailbreak hardware to do this.
Copy the current modified firmware to a USB stick and install it. Voila.
The dongle hasn't been required since the firmware is now signed with Sony's key.
"12 year old spotty coders"?
I think you'll find they are a little more intelligent that your average teenage FaceSlap user. They more not be the very best of the best, but I bet they easily code most IT professionals under the table in a challenge. Hacking firmware on locked down consoles is not kids-play, lots of things can go wrong like instantly bricking a £200 bit of hardware, think Indiana Jones in that ball-down-the-ramp scene.
I don't play games other than Boogle and Scrabble on my iPhone, but I do have a great deal of respect for these people who spend so much time not just to get the kudos from their peers but to help others get more use from the hardware they have purchased.
Is a little bit of respect for technically competent people, too much to ask?
That can be addressed.
Once a new official firmware is released, they can push it onto PS3s by network updates and new game discs. They'll do the following things:
1. Disable firmwares by USB (killing the dongles).
2. Change the network update mechanism to go through secure connections (thus disbling the MiTM attack).
3. Find some way to make the update one-way so that not even Service Mode (the preferred method for downgrading firmwares) can reverse the process.
Once all that's done, there'll be no way to get unofficial applications onto the PS3, not even signed ones, since the default software doesn't allow for that unless it goes through official channels (which can be hardened because they don't use the compromised key).
Sony are the SCO of electronics.
Sony are the SCO of electronics.
I hope the hackers counter sue for £millions in damages
Because GeoHot just had to put the Piracy into the Linux-enabling hack, Sony can flog the "Piracy!" Flag on this one. Why the hell did he do that? Just enable Linux dammit!
I do hope that the defense pulls up that they did it because of OtherOS's loss... it might probably help the other class-action suit out there.
That's just not true
Geohot SPECIFICALLY did not patch the lvl2 kernel, so that backup managers could not work. This was to enabled homebrew inside GameOS. Someone else later patched (Ev1lNAT from memory) lvl2 and that enabled piracy.
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Intel's Raspberry Pi rival Galileo can now run Windows
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft and HTC are M8s again: New One mobe sports WinPhone
- Worstall on Wednesday Wall Street woes: Oh noes, tech titans aren't using bankers