It has been a full week now since the news about hacking group FailOverflow’s discovery of the PS3 “root key”, which would allow homebrew developers to sign their own applications, began to filter out of the 27C3 (Chaos Communication Congress) Hacker Conference 2010. It seems that Sony executives either hadn’t been paying attention to the reports, or simply discounted them as another easily-corrected security hole, as they had not released any type of statement regarding the discovery until today.
After reading the statement that Sony provided to Edge Magazine, it appears that it is more likely the latter scenario.
“We are aware of this, and are currently looking into it,” a Sony representative told Edge. “We will fix the issues through network updates, but because this is a security issue, we are not able to provide you with any more details.”
But statements that have been made by the Fail0verflow team, and were reiterated to the BBC yesterday by group member pytey, indicate that there is no simple fix this time around, as there was with the USB key hacks such as PS Jailbreak.
“The complete console is compromised – there is no way back,” pytey told the reporter. “This is as bad as it gets – someone is getting into serious trouble at Sony right now. The only way to fix this is to issue new hardware.”
Pytey also explained how the Fail0verflow team was able to calculate the key, which he described as something that is “supposed to be the most secret of secret of secrets – it’s the Crown jewels,” and exactly where Sony went wrong:
“Sony uses a private key, usually stored in a vault at the company’s HQ, to mark firmware as valid and unmodified, and the PS3 only needs a public key to verify that the signature came from Sony,” he said. “Applied correctly, it would take billions of years to derive the private key from the public key, or to make a signature without knowing the private key, even when you have all the computational power in the world at your disposal. The signing recipe requires that a random number be used as part of the calculation, with the caveat that that number must be truly random and not predictable in any way. However, Sony wrote their own signing software, which used a constant number for each signature.”
From there, it was just a matter of using “simple Algebra” to uncover the key.
It’s quite likely that Sony lawyers are very busy at the moment trying to figure out a way to put a stop to this, but pytey says he’s not worried. “I haven’t stolen anything,” he said. “It’s my own hardware, I can run whatever I like on it.” If the ruling in last month’s Xbox 360 mod chip trial in California is any indication, these guys should be on safe legal ground.
10 Comments
| However, Sony wrote their own signing software, which used a constant number for each signature.” From there, it was just a matter of using “simple Algebra” to uncover the key. |
| It’s quite likely that Sony lawyers are very busy at the moment trying to figure out a way to put a stop to this, but pytey says he’s not worried. “I haven’t stolen anything,” he said. “It’s my own hardware, I can run whatever I like on it.” |
|
Originally Posted by Mr. Belvedere
Ouch.
|
int getRandomNumber()
{
return 4;
}
|
Originally Posted by slayerking
Yeah although it wasn't intentional, It was a major F@#k up by one of the devs. It was supposed to be random, This was the code
Code:
int getRandomNumber()
{
return 4;
}
|
http://dilbert.com/strips/comic/2001-10-25/
|
Originally Posted by trust2112
Does that mean AMD/ ATI, WD, OCZ, and every other peripherals manufacturer could sue me because I don't keep their hardware at specs? AMD plainly states that they are NOT responsible for overclocking issues. Even though they sell specific lines (Black Edition) just for that purpose. At what point do we keep taking it up the ass from corporate greed as well as government intervention to protect those greedy cock-suckers at Sony and other (MS) console makers? If I can't play it on my computer, then it is irrelevant to me. (Did you hear that, game manufacturers?) My computer is way beyond Sony's Piece of Shit3, and if their code ever gets released or reverse engineered, 3 words MAME emulation, bitches.
|
It all depends on what kind of license agreements you have actually agreed upon.
If you bought a Sony Playstation 3, agree to a license agreement that forbids you to set fire on it and then set fire to it.. well... you are breaking the agreement. I'm not sure if breaking an agreement would actually be illegal though, but it can have penalties.
If you have never agreed upon a license agreement that forbids you to set fire on it (you bought the PS3 and never turned it on), and then set fire to it.. i think you're pretty legal.
If you bought a Sony Playstation3, agree not to modificate it via a license agreement and then start hacking away.. well.. are you not breaking the agreement? But would that be against the law? There is no company in the world that can make you agree to something that is against local and international law rules you as a person are obliged to follow or can enjoy.
For instance: Sony could make me agree to set up a human slave trade business via an End User License Agreement, but it would be worthless, since it's against most laws.
That is the sole reason why this licensing business is a very shady business. It is almost impossible for an end user to understand the End User License agreement they are agreeing upon and it is very difficult to prove it abides every local law.
Some very good points that I (and I'll bet a lot of other folks too) hadn't even thought to consider about EULA's. I try to read all contractual things like those and the damn things that come with my bank accounts but after page 3 my brain really gets tired. I always feel like the things are written in the most convoluted way imaginable for the sole purpose of discouraging me from reading it carefully. Why does everyone have to have a legal degree now to use a piece of software?
But one of the statements brings up a question - supposing someone reverse-engineered a software program and actually removed the EULA from the install or documentation and then re-released it into the wild world of P2P via sharing or the like and it is then downloaded by someone else and installed and used or somehow violated the terms of the agreement that they never saw. Would that person be liable in such a case?
|
Originally Posted by ftlion
But one of the statements brings up a question - supposing someone reverse-engineered a software program and actually removed the EULA from the install or documentation and then re-released it into the wild world?
|
This may seem a fishy one for a judge, but i think actually it isn't. The sole purpose of this reverse-engineering is to bypass the agreement. This is not jailbreaking or hacking to open up possibilities that were hidden, but real intended abuse. Almost any judge will punish you for it.
About this category
Piracy
- The constant fight against, or enjoyment of pirated movies, music and games: this news covers all that is piracy related, such as lawsuits and P2P services.More about this
Game Consoles
- Almost any household owns at least one game console. Although its main purpose is playing games, some consoles also provide (HD) video entertainment.More about this
Most popular headlines
Diablo 3 game fans hit with always-online DRM grief (4)
- Fri 18 May 20:04 by Seán
- Software
it appears that Blizzard underestimated the server capacity required to handle all the gamers, thus resulting in Battle.net servers being overloaded and taken offline at launch. As Diablo III requires the user to be logged in with an uninterrupted internet connection to play, most players were greeted with an "Error 37" on the day of launch, unable to play the game.
CD Projekt says the truth is, DRM doesn't work (2)
- Mon 21 May 22:48 by Seán
- Piracy
In an interview between Forbes and CD Projekt CEO Marcin Iwinski, Iwinski said the truth is that DRM simply does not work. He said the main problem is that the copy protection is cracked within hours of the release of every game, not to mention the money and development wasted to implement it. Those with pirated versions also have a clean and more functional game!
Why not? PNY announces USB drive with whistle (10)
- Wed 23 May 11:48 by DoMiN8ToR
- Uncategorized
It could be possible that there is a scenario where you would have loved to be able to whistle on your USB stick, but we really wonder when. To make
FBI to start special service to spy on online communication (1)
- Thu 24 May 10:11 by DoMiN8ToR
- Computers
Cnet claims that the FBI, the intellige
