
Geohot Chimes In - shawndumas
http://geohotgotsued.blogspot.com/2011/04/recent-news.html
======
shawndumas
You know; this guy makes some good points:

"This arrogance undermines a basic security principle, never trust the client.
[...] Notice it's only PSN that gave away all your personal data, not Xbox
Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and
not GMail when Android was rooted. Because other companies aren't crazy."

"[...] To me, a hacker is just somebody with a set of skills; hacker is to
computer as plumber is to pipes. And the same ethics should apply, if you want
to mess with the pipes in your own house, go for it. But don't go breaking
into people's houses and messing with their pipes."

~~~
_delirium
The pipe analogy is interesting, because I've heard a related analogy in the
other direction. I can't recall where I read it, but I think it was some
textfile from the 80s, justifying breaking into large corporate computer
systems to explore them as similar to breaking into and exploring steam
tunnels, and guided by a similar ethos (e.g. don't vandalize them while
exploring).

~~~
pyre
Exploring steam tunnels isn't "messing with pipes." To be "messing with pipes"
you would have to be doing things to the pipes in those steam tunnels.

~~~
galuggus
How about breaking into a bank to learn more about their security systems?

------
pushingbits
Good Christ, what comments!

"You're the perfect example of someone who can't even grasp the simple concept
of how YOUR actions have consequences for OTHER people. If Sony wanted to
remove Other OS that's up to them, people like you and George should have just
dealt with that. Instead like children you have this sense of entitlement and
so the PS3 was hacked and root keys published. No thought was given to how
this would be used by other people, all that crossed your tiny little minds
was how this affected YOU."

[http://geohotgotsued.blogspot.com/2011/04/recent-
news.html?s...](http://geohotgotsued.blogspot.com/2011/04/recent-
news.html?showComment=1303986868731#c8287228180500063419)

You see people become inoculated by all sorts of kooky ideas (usually offering
salvation or universal insight), but to see people get their mind twisted
around some faceless video game company... the mind boggles...

~~~
huhtenberg
There is a good chance that this particular comment came directly from Sony as
a part of some sort of misdirection and damage control campaign. It does not
read like something a teenager would write, it sounds more like a mom
lecturing her adolescent, but I can't see parents taking time to comment in
GeoHot's blog. So given the context it looks artificial.

~~~
chrischen
A lot of PS3 users are NOT teenagers... I'm guessing PS3's user base will tend
be slightly higher in age than Xbox owners, given that people who buy PS3s
might buy them for the Blu-ray player as well to complement some home theater
setup. Teenagers will most likely only have appeal for the gaming aspects of a
console.

~~~
intended
This comment was being moderated down. Can someone shed light as to why they
disagree?

~~~
intended
Which means I get moderated down too? I thought he had an interesting and
valid point, saw his statement when it was grey and made my comment. If I am
incorrect, or have made a HN etiquette faux pas, I would appreciate knowing
about it.

------
praptak
This is interesting: _"Traditionally the trust boundary for a web service
exists between the server and the client. But Sony believes they own the
client too, so if they just put a trust boundary between the consumer and the
client(can't trust those pesky consumers), everything is good. Since everyone
knows the PS3 is unhackable, why waste money adding pointless security between
the client and the server?"_

I wonder if he's _purely_ speculating or maybe knows something more. It's also
good to see he can at least still talk about Sony security in general (or can
he?)

~~~
shareme
its not speculation, they passed CC numbers in the clear over SSL instead of
hashing them..

~~~
pilif
And how would you use that hashed CC number on the server? Unhashing
(impossible)? Send the hash to the CC company (good luck)?

Do you mean they should have pre-encrypted the CC number before encrypting it
again in the standard SSL transaction?

Would that have helped? Because if the PS3 knows how to encrypt and you own
the server, decrypting is as trivial as just looking at the plain text

For people who don't own the server and are listening in SSL is enough and for
people with access to the server neither SSL nor any other encryption is
enough.

They have done a lot of things wrongly, but this IMHO is not one of them.

~~~
tibbon
You can store 'authorizations' as a gateway instead and not store the actual
number on your server.

~~~
pilif
I (and shareme I was responding to) wasn't talking about _storing_ the
numbers. I was talking about _transmitting_ them. You can't transmit hashes of
credit card numbers and then expect to do anything useful with them.

This is, for example, the md5-hash of my credit card number with "salt"
prepended: 8cc8f5b89ae1ce45a8efce26c88b69e7.

Now good luck doing anything useful with this.

My point was just that it's totally fine to rely on SSL for securely
transmitting the credit card number. There's no need to encrypt twice and
salting isn't possible.

Storing the numbers (or, as you say, authorizations) is something else I a)
know nothing about, b) wouldn't want to have to do (see a) and c) didn't
comment about.

~~~
Natsu
I hope you're kidding about the MD5 thing.

It should be feasible to hash a whole bunch of credit card numbers looking for
a hash collision, especially when the first four digits depend only on the
card type and the last one is a check digit or something. I'd have to look up
the details, but that leaves me with just over a billion things to hash?

This is roughly the way password crackers work, incidentally. And why they
keep telling people to use slow hashes, like bcrypt.

~~~
pilif
No worries. That's what I was thinking too. The hash isn't my credit card
number. Still. This is a very impractical way to "encrypt" a credit card
number for transmission

------
awakeasleep
"And let's talk about Sony's use of the word illegal. It is illegal,
criminally so, to break into someone else's servers. But when the same word is
used to refer to streaming a song from a non RIAA approved website, or to
_gasp_ playing a homebrew game on your PS3, respect for the word and those who
say it is lost."

Who is this kid? He's like 20 years old and he talks like this? Geohot, you
have my respect thats for sure.

------
Jun8
This is an excellent piece, my esteem for geohot got even higher. It vilifies
Sony (rightly so) but also is balanced. The plumber analogy is spot on and
funny:

"To me, a hacker is just somebody with a set of skills; hacker is to computer
as plumber is to pipes. And the same ethics should apply, if you want to mess
with the pipes in your own house, go for it. But don't go breaking into
people's houses and messing with their pipes. (Note that I do not endorse
water piracy)"

------
thomson
On a pedantic note, is there a reason why large corporations 'regret' mistakes
rather than apologize for them? Is it just so they don't want to go on the
record as being wrong?

Sony's statement for reference:
[http://blog.us.playstation.com/2011/04/26/update-on-
playstat...](http://blog.us.playstation.com/2011/04/26/update-on-playstation-
network-and-qriocity/)

~~~
iy56
Their lawyers tell them that an apology is an admission of fault.

~~~
eli
Maybe true, but I don't think that's the real reason. I think it has a lot
more to do with ego and cowardice. (It perhaps also belies a shoot-the-
messenger mentality that exists within many major corporations.)

On The Media did a piece a few months ago about how the 1982 Tylenol recall is
pretty much the gold standard for corporate disaster PR: identify the problem,
apologize, and explain what you're doing to prevent it in the future. It's not
hard, but it takes guts. Even J&J itself didn't meet that standard in later
recalls. <http://www.onthemedia.org/transcripts/2010/02/12/01>

------
pdenya
Strange how many of the commenters on the article think the Sony was hacked
from a rooted PS3. There's no evidence but I'll assume this was done from a PC
until I see some reason why doing it from a PS3 would make it easier (in any
way).

~~~
StavrosK
Apart from the fact that it's already got all the hardware and software to
communicate with the servers, and is thus a much better conduit for an
exploit, you mean?

~~~
marshray
Well the protocol turns out to look a lot like HTTP talking to Apache over
SSL. This is no surprise, it's easy to develop with and is the most likely to
make through proxies and firewalls outbound.

Nevertheless, Sony seemed to assume that it guaranteed they would only receive
valid messages from actual hardware they controlled. This is not a security
feature of SSL/TLS which depends on the client doing its part to prevent the
absence of a man-in-the-middle.

When the client was hacked, many of their assumptions were violated. We hear
rumors of hackers "mapping" their systems onto some internal development
networks. What this means exactly I don't know.

But if Sony's primary network defenses were the Maginot line, their dev
network probably looked a lot like Belgium.

------
yuvadam
Gotta love the subtle xkcd reference at the end.

~~~
kristofferR
It wasn't just a xkcd reference I think, I think it really was a reference
from the fail0verflow presentation where the security of the PS3 was totally
dismantled (the device itself, not PSN).

<http://www.youtube.com/watch?v=btDiX319P4w> @ around 8 minutes in

~~~
mdaniel
FWIW, one can link directly to a time in a YouTube video using #t=8m tacked on
the URL.

More information:
[http://www.google.com/support/youtube/bin/answer.py?hl=en...](http://www.google.com/support/youtube/bin/answer.py?hl=en&answer=116618)

------
artmageddon
I thought part of geohot's settlement with Sony was that he wasn't allowed to
discuss what happened? Maybe that was just with his case and not with the
latest incident. Regardless, I like his attitude, and hope he continues honing
his hacking skills. As he points out, at least they used a very strong XKCD
style randomization algorithm.

It's a real shame that Sony alienates their customers with these kinds of acts
while building a flimsy infrastructure for gaming. I'm one of those people who
bought the PS3 just for OtherOS(and thankfully never got the removal patch)
and honestly, given the lackluster performance it has and this move, I'm
highly tempted to just sell it. The rootkit debacle of several years ago still
leaves a bad taste in my mouth.

Today's Penny Arcade covers it quite nicely: <http://www.penny-
arcade.com/comic/2011/4/29/>

~~~
veyron
the scope of the gag order was limited to info relevant to the original case,
not this new incident.

~~~
artmageddon
Thought so - thanks!

------
chopsueyar
What about the money from the legal defense fund? What happened there?

~~~
dfischer
He gave like $10k to the EFF, no?

~~~
giu
Yes he did: <http://geohotgotsued.blogspot.com/2011/04/10000-to-eff.html>
(Screenshot of the receipt: [http://3.bp.blogspot.com/-qsLYAGnuRfM/Takp2Re-
dgI/AAAAAAAAAe...](http://3.bp.blogspot.com/-qsLYAGnuRfM/Takp2Re-
dgI/AAAAAAAAAew/z5aysW0mRXY/s1600/eff_receipt.png))

------
leon_
I don't understand those comments. Are those frustrated kids who can't play
online anymore?

~~~
marshray
My understanding is that the "battlefield graphic murder" online simulator
games are quite popular and they've had a problem with cheaters. Players have
built up quite a rage against these cheaters and they look to Sony to fix it.

When hackers come along having the goal of running their own OS on the PS3 or
even restoring the ability to run as a guest of the hypervisor (OtherOS), many
players don't see the difference. Probably any research into the inner
workings of a PS3 has the potential to benefit cheat development as well, but
I for one do not accept the idea that we would turn off our inquisitive nature
and forgo our home supercomputers so that others might gain a more fair
killing field.

~~~
eli
I think you're exactly right.

But I think you need to respect the opposing viewpoint: that supporting
OtherOS actually isn't worth the risk of new cheats for a lot of people. It is
a game console after all.

~~~
marshray
No, I think there's some fallacies there:

* It's not a "game console" by definition. It's a box with semiconductors inside it which _I_ can _purchase_ for a few hundred bucks at any of many local stores. These semiconductors are equally well-suited for doing vector calculations in support of many applications, frivolous and serious alike.

* It's simply a mistake to think by not "supporting OtherOS" it will significantly reduce the "risk of new cheats" in anything but the very short term. OtherOS is happening whether it's supported or not. That's probably true of cheating too.

* But that's not even what Sony did though, Sony actively removed OtherOS from units people had previously purchased, and only then _after_ it had already provided its (relatively small) boost to hackers.

The idea of keeping secrets locked in a box that millions of people purchase
and physically control is simply ludicrous and has failed every time it's been
tried.

~~~
djjose
Apple does a pretty good job of this, no?

And to be fair, the Dreamcast was about as open as a 7/11, but that didn't
fair too well for Sega.

~~~
forwardslash
Are there any postmortems on the Dreamcast and why it failed? I'm genuinely
curious. I don't know if the openness of the Dreamcast led to its downfall,
but it has a fairly strong community of hackers using it currently.

~~~
jeffool
[http://www.gamasutra.com/view/feature/4128/the_rise_and_fall...](http://www.gamasutra.com/view/feature/4128/the_rise_and_fall_of_the_dreamcast.php)

The best I can muster. Being a fan at the time, I tend to follow the "it
needed more third party support" and "Sony lied/"used false PR" (which seems
oddly more acceptable) to hype the PS2 into unrealistic levels" lines of
thought. Particularly the latter, claiming video as "gameplay."

~~~
marshray
Nice article, thanks for the link.

You really get the sense that success in that business (at least at that time,
in the minds of the executives they interviewed) is about everything _except_
delivering the best possible value to the customer.

~~~
jeffool
As a gamer, it annoys me to no end how people are quick to defend and identify
with companies that have even a hand in their favorite game. Many will even
defend publishers of games they enjoy in unrelated matters, as if the
publisher had anything to do with it.

It truly makes me wonder sometimes about the person on the other end of the
keyboard when this kind of personal data breach is written off completely,
laughed at as no big thing. I mean, I don't even have a PS3 or PSN account
(waiting for Team Ico's next game,) but I can tell it isn't "nothing."

Really want to be disappointed in gamers? Google Image search "Modern Warfare
2 boycott".

------
daimyoyo
The word "hacker" has been corrupted by the media to the point it's nearly
derogatory. We need a new term for what we do. Something like "techsmith." Any
other ideas?

~~~
crocowhile
I think the proper word already exists since ages and it's "polymath"
<http://en.wikipedia.org/wiki/Polymath>

~~~
beaumartinez
| _In less formal terms, a polymath (or polymathic person) may simply be
someone who is very knowledgeable._

It's not specific to the coding field.

~~~
stonemetal
Nor is the term hacker(in the positive sense). In the negative sense it seems
to be reserved for coding.

