Suggestions that Sony has added a rootkit with the latest firmware update to its PS3 console have been denounced as bunkum by a leading gaming security expert. Rumours began flying on the interwebs earlier this week that the official 3.56 firmware upgrade for Sony's consoles gave the consumer electronics giant the ability to …
as a PS3 owner..
.. I'll tell you that mine have been phoning home for years. This is not a new thing, even if I don't sign in to PSN it will still check for game update when I run a game, it will ask me if I want to connect to the internet when I run a blu-ray movie.
if my internet is off, I will get a notification about a DNS look-up failure as soon as I power it up, even without me trying to sign in to PSN.
if you use a wired network, then the only way to stop it from using the internet is to disconnect the wire (there is no icon to do this). If you are using a wireless network (like me) then you just have to turn off the wireless network from the PSN.
this is not news, nor is it a part of the current update. As a PS3 owner, I've seen my PS3 do it for years.
I told you so :-)
Now do you believe me?
Actually, the biggest potential disaster would be if said malicious software set the HDDLOCK command with a random key, then charged a fee to unlock it.
Would you pay to get your gamesaves, personal data etc back? I think not.
(memo to self:- check his car for um, foreign devices under the petrol tank!)
AC, because he is out of work and REALLY doesen't want to get blacklisted...
(also where is the flaming battery icon El Reg?)
I believe Sony's approach is the same as that of my dear old Nan (god rest her):
"If you don't like it. P*ss off!"
*this message is brought to you by a happy PS3 owner who has dodged all this b*ll*cks by not f*cking with his machine in the first place.
and the £200+ I paid for my device - you know, the one that now does LESS because of Sony - am I getting a refund for that?
Oh, come on! Does 'what it used to do' have a cash value of any kind?
Even if someone can convince Sony that it does. It certainly doesn't equal the entire cost of the device.
It is a root-kit but it's in the EULA, so it's OK then, right?
Naive or a bit thick?
"I'm still waiting for someone to explain how this 'PS3 rootkit' could be used to run unsigned malicious code on a non-jailbroken box,"
Nobody is worried about unsigned malicious code - it the *signed* (i.e. SONY's own) malicious code which is a problem.
And any code that a manufacturer wants to run surreptitiously on a user's machine is malicious by definition.
someone answered that one above
cut and paste time:
"1 there is NO WAY to run code that isn't approved by sony on the latest firmware, because although its been opened up it hasn't been cracked. so people worrying about malicious signed pretending-to-be-sony code is just as pointless as worrying about malicious unsigned creeped-out-of-the-gutter code.
so it goes back to being an issue of not getting on PSN for modders who can't update. nobody is going to somehow magically send your PS3 some dodgy code and make it blow up, signed, unsigned or co-signed which is what most of the crying and shouting seems to be about.
2 see above. i'd imagine the majority of people who arent modding don't care what sony runs on their console. do they know what the console has been doing / running the last six months or a year that they've had their console for? of course they don't, they haven't got a clue other than it comes on when they press the power button."
what on earth do you think sony are going to do to your console or data? what information do you have stored on the console that is so terrifying to you? as far as i can remember, everything like payment information & personal details are stored on the playstation network, NOT the console - so what is the problem if you're not modding?
has everyone just suddenly woken up from a deep sleep and realised "holy cow, we have no idea how these consoles sitting in our front room the last 5 years work"?
Wrong answer, try again
Spelling it out time:
S O N Y ' s c o d e r u n o n m y c o n s o l e w i t h o u t m y a p p r o v a l i s m a l i c i o u s b y d e f i n i t i o n
You really can't be serious saying that I should not care what a networked piece of equipment in my house is doing?
"what on earth do you think sony are going to do to your console or data?"
Well, they can stop the console from playing a specific game, for example - remember 1984 on Kindle? Or kill your console altogether, if they want to for some concocted "intellectual property" violation.
You seem to be saying there is nothing wrong with Sony doing such thing but I believe you are gravely mistaken.
no, you try again
"You really can't be serious saying that I should not care what a networked piece of equipment in my house is doing?"
Unless you're hacking your console to bits with mod tools, please explain what ANYBODY who isnt a modder knows what the inner workings of their console is doing. as evidenced by the reaction to this, people seem to think consoles work with magic pixie dust.
if you care so much, pop it open, see for yourself then stay offline if you disagree or buy something else. the constant modding & cracking leaves sony little choice at this point.
"what on earth do you think sony are going to do to your console or data?"
"Well, they can stop the console from playing a specific game, for example - remember 1984 on Kindle? Or kill your console altogether, if they want to for some concocted "intellectual property" violation."
Wait, this is getting silly now. consoles in the current gen have ALWAYS been able to out and out ban a username from a specific game, or indeed ban the console forever if evidence of cheating and / or piracy has been found. ps3, xbox, have done this for YEARS. 1984 and kindle has absolutely no relevance at all to someone having their console banned if they trip enough checks and flags for cheating.
and if you don't want to be pulled for "IP violation", the solution is simple: DON'T GO ONLINE WITH A MODDED BOX.
other than preventing your online access I'm struggling to see what danger there is to your data - most (or all) of which is stored on the PSN, outside of your console and effectively outside of your control if someone happens to hack your PSN account while you're tucked up in bed.
and as mentioned elsewhere, the person who first started this on IRC has now said he didn't claim there was a rootkit, just that he'd seen "some evidence" of remote activity.
still don't see the big deal.
OK, if you insist
If you read carefully you will finally realise (I hope) that I don't talk about breaking the network rules etc but about manufacturer interfering with hardware in a way that affects its offline functions.
Like revoking device or content keys which will stop your PS3 from playing at all or from accepting specific discs (which you may have bought legally, but which the rights holder decided he does not want you to use anymore).
I know BD specs (AACS actually) provides for these things anyway - that's why I'll never pay for anything BD, but that code execution function makes it easier for Sony to enforce that crap and to extend it to things not covered by AACS.
You may say that it's within Sony's rights but that is the whole bloody point you people seem incapable of understanding - it may well be within their rights (because of corruption or incompetence or negligence of lawmakers) but it should not be.
Ah, EULA and T&C's. My old friends....
You know, UK Contract law is a fascinating beast. You may have heard of something called "Unfair imposition of extended terms." Some people call it the "Shrink Wrap License Issue".
You see, the problem is, you don't get to see the Contract/EULA/T&C's before you've purchased the goods, which means the vendor is attempting to apply contractual terms on you AFTER the fact and without pre-sale agreement.
Under UK Law, thats pretty much a no-no. Same goes for most of the EU. In the US, I believe, its totally fair.
Also, any variance to the 'contract' between you and a service provider to which you have not formally agreed (even if they've put in a clause that says they may vary the terms without notice etc.) renders the agreement null and void.
Odd thing is, this greyness in contract law as regards EULA/T&Cs has only ever been challenged in Scotland and remains unchallenged elsewhere in the UK.
However, the T&C's relate tothe consoles online use and your asked to accept it to proceed,
The whole thing about modding a consumer electronic is not in question, as sticking new bits of coloured plastic or new HDD's is a form of Modding, however modding the o/s to use on the pre agree T&C's online allowing you to either pirate or negate unfair advantages over other users is where the T&C's come in to force and can terminate your use of a service , not the product (hardware) the hardware can still used offline and the other unofficial sign code can be used just not on the network.
theres two products here, the hardware which is yours and the network which isn't .
"theres two products here, the hardware which is yours and the network which isn't ."
The problem is that running code without your authorisation is not part of the network service if it affects the offline functionality of the hardware which has nothing to do with using the network.
If your going online with a Jailbroken PS3 you deserve to have your console bricked. First rule of jailbreaking is not to go online with the thing. Unfortunatly all these kids who dont really know what their doing and have jailbroken their consoles just for the sake of it are in for one hell of a shock when the thing wont switch on any more.
a honest question
when Sony released the Slim version of the PS3 and said that it won't have the Other OS feature, my first thought was to get a 2nd fat version in case the one I have dies.
when Sony released an update that removed the Other OS feature from the fat version of the PS3, I thought that both of those consoles shouldn't connect to PSN again, and it was about time to get the Slim version for my gaming sessions (I was already planning of getting the Slim version because of the HD size, the update have speedup that decision).
now my question, for those who did value the Other OS option so highly, why didn't you get a 2nd console to preserve that option? the console price have dropped significantly when the Slim version came out, so why didn't you try to protect you development console?
if you do hold something so dearly, why didn't you spend few quids to protect it instead of crying about it later?
P.S. I am one of those people who have multiple PCs, I don't mess with my gaming/work PC, but the experimenting PC is always ready to be replace at the drop of a hat. The same apply to my consoles.
This argument is ultra boring now. Most of you seem to be AGAINST Sony blocking their system from modification?? Do you not realise that most hackers are using their systems to ruin the online gameplay for those who just want to play a normal game? I had to quit playing Modern Warfare because hackers totally ruined not just the game but all my stats as well. Are you saying that you're FOR hackers doing this?
I would only be in total agreement with this apparant majority IF hacking the system didn't affect the online gameplay of other players, unfortunately I've seem though what this hack has done and to be honest I haven't used my PS3 since.
Yes... Sony SELL you the system, therefore you should be allowed to do whatever, however I hope they also block you from PSN because I'm tired of some spotty little kid wrecking my games.
Get over it
"Do you not realise that most hackers are using their systems to ruin the online gameplay for those who just want to play a normal game?"
Incorrect, this is a very large false rumor that has been spreading around lately.
These cheaters have been cheating months before the PS3 was ever hacked. They use lagswitches and modified save files, it has absolutely nothing to do with the current round of PS3 hacks and everything to do with how pathetically bad the games were actually coded in terms of security.
Its Activision's fault, not Sony's, not the hackers. Cry to THEM that your online experience is ruined.
It is not unreasonable for Sony to include corrections to the flaws recently pointed out by the Chaos Computer Club in its newest firmware release.
However, it isn't unreasonable for people to expect that they can connect a PS3 to the Internet, and use it to browse the web, and so on, and not have it upgrade firmware unless they specifically request a firmware upgrade, or connect to a service, such as the PlayStation Network, that requires the latest version of the firmware.
Also, if Sony does fix the problems that might allow hackers to play pirated games, and so on, then they should also, while they're at it, restore the ability to run Linux on the machine.
When you are banned from PSN
The only thing you can't do is access anything through PSN, or that requires a PSN auithentication. Your console is still capable of browsing the Intenet. but since online games require PSN authentication it's largely pointless.
Do we really have to explain this again?
You buy a PS3. You own the hardware. You can do what you like with it.
HOWEVER, you do NOT own the software. You have agreed to the licence terms which allow you to use it only in certain ways.
If you don't agree with those terms, you can take it back to your retailer within a reasonable period for a refund.
I'll say it again for the hard of thinking: You own the hardware, you do NOT own the software.
Grenade: my gift to those knobs who are making my favourite console less good by their meddling. Thank you very much.
I own the hardware...
I can run any software that I own, or own a license to run, on my hardware. If I run Linux on my hardware, I am allowed to connect to the Internet, provided that my ISP allows me to connect to the Internet. I'm allowed to run games on my Linux PS3, provided I have bought the license to run the game. I'm allowed to run my legal backup copy of said games as well.
I don't have any right to play online games on PSN using my Linux PS3. That's because of the TOS of PSN, and that is still slightly dodgy.
You could not give any Sony product to me. After all that I have read about their antics, I have had enough of Sony.
Chris Boyd is a moron
The Sony encryption keys were leaked awhile ago, anyone can sign anything, and it will run on a non-jailbroken box, how do you think people updated their firmware? Using Sonys OWN updater with a signed forged firmware.
“People will happily download homebrew from Basement Bob which could steal logins/credit card details, but code from the console maker is evil?”
The difference being, most home-brew is open source, Sony isn’t.
For a security 'expert' Chris Boyd is pretty uninformed.
A security expert posted such embarrassing drivel?
I looked up this guy, guess what I found?
He seem to enjoy going on biased tirades, for example, he was blasting bittorrent while praising MS's own propitiatory P2P client over it.... he also got an MVP award from Microsoft, hmmm...
First of all, anyone here with a brain knows how useless and baseless a TOS or EULA is, the fact he is bringing this up is pathetic, I have seen better arguments on messageboards from teenagers. If you don't realize why a contract of adhesion presented after you paid for the product with no proof that you signed it whose terms can change at anytime without your knowledge and grants immunity to anything from the company who made the product are tossed out on court.... well, say "baaah" then.
Second, he basically confirmed that there IS a rootkit, so how has this "rumor" been "debunked" exactly?
Third, you do not need to be on PSN, which means no TOS, in order for this to effect you. The PS3 sends information about itself, but also information about EVERY DEVICE CONNECTED TO YOUR LAN, as well as some other data through some encrypted packets, every time its turned on with an internet connection, even if its not connecting to PSN. They can most certainly run any code they want without your consent even if you don't use PSN, and thus have not agreed to the TOS.
Fourth, the rootkit can be used to push an update without your consent, in some cases bricking the device if performed at a bad time, or any other such millions of code Sony runs whenever they feel like that can go wrong. Remember, according to federal law, which trumps a silly little EULA written in the back, of the manual, the PS3 system is YOUR property, not Sony's. Yet they are controlling it as if its theirs with this rootkit.
Finally, once it's inner workings are disassembled, and they will be, ANYONE can send a command through "the tubes" and wreck havoc, and SONY will be the one to blame for putting this backdoor in there on purpose in the first place.
I would not be surprised if Sony paid off this guy, he has shown to be arguing for the sake of whoever gives him recognition or money in the past. Seriously, his entire damn argument centers around "The TOS says they can do whatever they want" basically, somebody get this guy a lawyer to teach him how toothless that TOS really is. Technically according to the TOS, if my PS3 explodes and burns down my house due to a known defect Sony isn't responsible, you tell ME who do you think would win in such a lawsuit.
accuracy, where art thou?
"he was blasting bittorrent while praising MS's own propitiatory P2P client over it.... he also got an MVP award from Microsoft, hmmm..."
aside from thinking a microsoft award would make him more inclined to bash a rival than defend it (or at least show some restraint before jumping on the "omg ps3 virus incoming" bandwagon), if youre gonna mention well known adware stories from the past couple of years at least do more than skim related articles then post incorrect information.
you must be refering to this http://www.pcmag.com/article2/0,2817,1829724,00.asp where john dvorak brought up the MS p2p system that had not been mentioned anywhere in relation to that story - nor did anyone "bash bittorrent", numerous researchers including boyd, pcpitsop and other sites highlighted potentially illegal content mixed up in supposedly legit adware bundles from some of the biggest adware companies of the day http://www.pcpitstop.com/spycheck/badtorrent.asp
dvoraks article was so silly that eweek called him out on it. http://www.eweek.com/c/a/Security/There-Is-No-Conspiracy-Against-BitTorrent/
to my knowledge, nobody involved in that research then or since ever mentioned avalanche besides dvorak. so no, nobody "bashed bittorent" and five minutes reading would have brought you to the same conclusion.
"First of all, anyone here with a brain knows how useless and baseless a TOS or EULA is"
EULAs go to court all the time, and many lawyers work with it all the time like these guys http://www.aftab.com/
whether you complain about a EULA afterwards or not the damage is done, and console provider / software creator has probably already done what they wanted to do, or has the power to do it unless you take some drastic action. after the fact is too late, agree and go into it or refuse and go elsewhere. if you're not aware of eula / ToS / contract law going into court on a regular basis, you should probably stop commenting on it right now.
"Second, he basically confirmed that there IS a rootkit, so how has this "rumor" been "debunked" exactly?"
most of the comments i can see from him here were lifted from informal discussions with others on twitter where the basis was IF this exists, then it probably isn't a big deal - but if it does, there's not much you can do about it but you're not going to end up with your console exploding. mashing unrelated comments from elsewhere out of context and combining with whatever he said to the register causes some confusion imho, but its not particularly hard to work out.
btw did you miss above that the matheiu guy who first mentioned this has now said he never claimed a rookit shipped? mass hysteria over NOTHING.
"Finally, once it's inner workings are disassembled, and they will be, ANYONE can send a command through "the tubes" and wreck havoc, and SONY will be the one to blame for putting this backdoor in there on purpose in the first place."
take a deep breath, then clearly highlight how someone will send "a command through the tubes" to do something malicious to my PS3. if you can't do this, you're pulling ideas out of the sky.
"I would not be surprised if Sony paid off this guy, he has shown to be arguing for the sake of whoever gives him recognition or money in the past. "
you're back to your incorrect assumptions about the bittorrent thing, aren't you? but i'll play ball:
1) he often complains about microsoft on his various blogs, and has been very vocal in the security shortcomings of both their console and their operating systems at conferences and elsewhere. it seems the "bias" extends to you picking and choosing what to highlight.
2) who has "given him money in the past"?
hack the ps3 not for piracy related matters...
look, not everyone wants to hack the PS3 to run home-brew/pirated games/whatever... some, like me, though still have not done it yet, but thinking of it... wants to do this just so that we can bloody play our DVDs from other regions! yes, Sony, it seems, unlike every other manufacturer, still makes their players region coded that can't be made into all region! they suck to no limits and this PS3 is my last Sony buy for no other reason but that Sony seem to hate their customers! and when I say last Sony buy, this includes their crappy media, from CDs, movies, etc etc... there are too many music and movies in this world anyway, one less company that makes them would not result in much loss for me anyway...
Internet connectivity workaround
1) obtain surplus moddable WiFi router
2) custom firmware the beast
3) add hacked DNS table that returns enough data to convince the PS3 it is on the Net
4) add internal rechargeable power supply and charger
4) Sell these on Greedbay without HDD as dual function Piratebox and PS3 un-evilness b0xen.
AC, because the MPAA will be after him as well as Sony.