Welcome, Guest. Please login or register.
Amiga Kit Amiga Store Iridium Banner AMIStore App Store A600 Memory

AuthorTopic: PS3 security is "epic fail"  (Read 14095 times)

0 Members and 1 Guest are viewing this topic.

Offline olsen

Re: PS3 security is "epic fail"
« Reply #30 on: December 30, 2010, 08:36:58 PM »
Quote from: Piru;602926
Actually I don't believe it to be an error per se. They just failed to realize that "random number x" actually meant "new random number x every time", while elliptic curve crypto documentation is quite clear about it. This is the epic part in the fail.

That could have been a case of "cookbook programming": 1) find a working, documented implementation of the algorithm and deploy it, 2) ..., 3) profit!

Bruce Schneier at one point came to regret writing his landmark book "Applied cryptography" because it led programmers to believe that the magic was in the algorithms, and not in how they were deployed.

Quote
Indeed. Bruce Schneier summarized it pretty well: http://www.schneier.com/essay-028.html

It's right on the money.

Quote
I personally would never even imagine trying to build my own crypto. It's just too easy to fail. I'm perfectly happy to use ready to use and proven solutions such as things provided by openssl.

We may never know how Sony came to choose the technology they deployed. Organizations of that scale usually learn only from failure, and there haven't been that many security tech failures originating from within Sony, unless I'm mistaken (I would not consider the CD "root kit" debacle to be a comparable security failure: it "only" compromised the security of the consumer, but not the security of the manufacturer).

Microsoft had the opportunity to learn from the XBOX security hacks, but Sony's previous console was not as technically complex as the XBOX. So Sony could not build upon an existing design and iterate.

I guess that because Sony started over from scratch for the PS3, it led to the security design to be developed from scratch, too, with no references to existing similar designs. They may have rejected traditional, proven technology (old-fashioned RSA/DSA, etc.) because of how their product development process works. It would not surprise me at all if this is how it went down.

Quote
Here's another recent crypto failure:
HDCP 'master key' supposedly released, unlocks HDTV copy protection permanently
(well not that recent as it was predicted ages ago that the thing was broken... oh, noone listened)

I think I remember that the researcher who discovered the issue was either bought off or silenced. Intel probably calculated how much they had already invested into the technology and decided that "security through obscurity" would likely give them enough time to recoup the investment and make enough money on it before the next generation of the interface would go to market. In a way, this paid off, didn't it? We probably would still be waiting for affordable flat screen displays and TVs to become available if Intel hadn't stepped in and standardized the connector technology.

Quote
And here's one somewhat older case that was really serious:
Debian OpenSSL Predictable PRNG Toys

Yup, that one was ugly and epic, too :(
« Last Edit: December 30, 2010, 08:39:42 PM by olsen »
 

Offline actung_bab

Re: PS3 security is "epic fail"
« Reply #31 on: December 30, 2010, 09:12:55 PM »
Quote from: Piru;602920
Actually currently you need to hack the PS3 with the USB dongle. This will change once the disc keys (and any other keys that might be needed) have been recovered. Later on this should change, however.
this is true but waste of time not that l whould but you whould not be able to log on to play online or go on the playstation network as you need to have much earlier version of the playstation 3 firmware
Acthung baby
http://telnet://midnight-blue.dyndns.org
Cnet 4.60 PRO bbs software
Amiga 1200 020 14 mhz mbz 1200 z pcmcia network card 4 meg ram 2 Gb scandisk cf
Amiga 2000 020
Amiga 4000 030 25 mhz broken
Amiga x 4 1200
x 6 Sony Ps 3 Orginal 60 gb 4  port usb 160 gb hd (os 4.1 ready :-)
what can i say i like thse machines
x 3 XBOX 360 1x xbox 360 slim
url=http://avatars.jurko.net][/url]
 

Offline hardlink

Re: PS3 security is "epic fail"
« Reply #32 on: December 30, 2010, 09:54:19 PM »
I misread the title as "PFS3 ...", which I would have found a lot more interesting.
 

Offline Matt_H

Re: PS3 security is "epic fail"
« Reply #33 on: December 30, 2010, 10:04:32 PM »
Quote from: pyrre;602925
And this all happened because Sony wanted to stop Linux, and by doing so pissed off hackers. :D
Some top boss in Sony is probably taking his hat and leaving the company by now...


This proves that they need a new business model. At launch, Sony was taking a loss on every console sold and attempted to profit on software. I imagine that's still the case  - if they're selling heaps of consoles with no software to go with them, they're in trouble. They've been able to curtail this customer behavior with DRM nonsense and legal threats, but now the floodgates are open.

I'm not usually one to unquestioningly espouse the philosophy that the free market is always right, but in this case, it is.

Sony needs to learn how to respond to consumer demand and how to make a profit on hardware. The result would be a win-win.
 

Offline A1260

Re: PS3 security is "epic fail"
« Reply #34 on: December 30, 2010, 10:35:00 PM »
When copied games can be run, console sales go up. Watch the PS3 sales now......
 

Offline Tension

Re: PS3 security is "epic fail"
« Reply #35 on: December 31, 2010, 01:01:07 AM »
Quote from: A1260;602959
When copied games can be run, console sales go up. Watch the PS3 sales now......


Which is bad for Sony, ironically.

At least I have water!

Offline Tension

Re: PS3 security is "epic fail"
« Reply #36 on: December 31, 2010, 01:20:46 AM »
Quote from: nicholas;602773
Self signed homebrew is now possible after the PS3's private keys have been cracked.


This is a family-friendly forum.  You have received an infraction.

Offline ciento

Re: PS3 security is "epic fail"
« Reply #37 on: December 31, 2010, 01:36:02 AM »
Quote from: pyrre;602925
And this all happened because Sony wanted to stop Linux, and by doing so pissed off hackers. :D
Some top boss in Sony is probably taking his hat and leaving the company by now...
When I first read sony was ending otheros, I thought it would take around 3 months of rage coding for the hackers to enter the deathstar, and now, they're in,
and teams are rampaging their way to the bridge, and control rooms. :hammer:

Guys leaving such huge corporations sometimes have a greatly reduced
carbon footprint. :lol:
 

Offline Tension

Re: PS3 security is "epic fail"
« Reply #38 on: December 31, 2010, 01:47:00 AM »
Sony, I Am Disappoint!

Offline KThunder

Re: PS3 security is "epic fail"
« Reply #39 on: December 31, 2010, 02:03:53 AM »
Quote from: Matt_H;602952
This proves that they need a new business model. At launch, Sony was taking a loss on every console sold and attempted to profit on software. I imagine that's still the case  - if they're selling heaps of consoles with no software to go with them, they're in trouble. They've been able to curtail this customer behavior with DRM nonsense and legal threats, but now the floodgates are open.

I'm not usually one to unquestioningly espouse the philosophy that the free market is always right, but in this case, it is.

Sony needs to learn how to respond to consumer demand and how to make a profit on hardware. The result would be a win-win.


+1

problem is though sony won't learn, past sony brushes with drm trouble shows that. Neither will any of the other companies. What they will likely do is lock things down even tighter, which won't help.
Oh yeah?!?
Well your stupid bit is set,
and its read only!
(my best geek putdown)
 

Offline fishy_fiz

Re: PS3 security is "epic fail"
« Reply #40 on: December 31, 2010, 05:55:07 AM »
I didnt read all the threads, but "epic fail" seems a bit extreme to me :) All consoles do and will get hacked at some point. There's enough clever people out there with an interest in cracking cosnole security, just for the challenge and notoriety to make sure of that. The fact that its taken so long I'd actually consider quite a success in this day and age. Having said this though, other than through my general video game interest I have no major investment in what happens with ps3 anyay 'cos I dont have one  :)
Near as I can tell this is where I write something under the guise of being innocuous, but really its a pot shot at another persons/peoples choice of Amiga based systems. Unfortunately only I cant see how transparent and petty it makes me look.
 

Offline jj

  • Lifetime Member
  • Hero Member
  • *****
  • Join Date: Feb 2002
  • Posts: 4035
  • Country: wales
  • Total likes: 4
  • Gender: Male
Re: PS3 security is "epic fail"
« Reply #41 on: December 31, 2010, 09:49:05 AM »
Yes but usally the hacks are chips are some other hardware mode or casusing and overflow so you can run your own code to take over.
 
All this is done so you can run un-signed code on the machine.
 
THis is different, this will enablle people to run there own code on un-modified ps3.
 
This is an epic fail.
“We don't stop playing because we grow old; we grow old because we stop playing.” - George Bernard Shaw

Xbox Live: S0ulA55a551n2
 
Registered MorphsOS 3.10 user on Powerbook G4 15"
 

Offline olsen

Re: PS3 security is "epic fail"
« Reply #42 on: December 31, 2010, 10:04:29 AM »
Quote from: fishy_fiz;602988
I didnt read all the threads, but "epic fail" seems a bit extreme to me :)

The term was used by the researchers who presented it at the 27C3. I've just seen the entire presentation, and I can understand why they called it "epic fail".

The security system used by the PS3 is layered, so in theory an adversary would have to break down each layer for the whole system to be compromised. But as the presentation showed, the layer design is either bungled (e.g. the media encryption, the code signing), effectively irrelevant to security (e.g. the Hypervisor, the crypto functions of the dedicated security processor) or so brittle that there is no defense against compromised components (e.g. the bootstrapping process).

A lot of effort went into implementing these security measures, but taken as a whole their effectiveness is reduced to security by obscurity, which is shocking if you are familiar with the technology. This ought to have been designed and implemented much better.

What is "epic" about the whole affair is how much effort Sony spent on this product, how long it took to become marginally profitable, how long Sony plans to keep this product alive, and yet how little leverage is required to undo these efforts. Feet of clay, etc.

Quote
All consoles do and will get hacked at some point. There's enough clever people out there with an interest in cracking cosnole security, just for the challenge and notoriety to make sure of that. The fact that its taken so long I'd actually consider quite a success in this day and age.

Actually, how the security system came apart is what makes it an "epic" failure. It did not withstand the attacks because of its resilient architecture: there is no resilience where it would have mattered. It withstood the attacks because of the security by obscurity principle. That is not a success because the barn door is wide open by now. As they say, attacks only get better over time, they never get worse.

All the PS3 devices Sony sold up until now are vulnerable to the kind of exploit that would hurt Sony's business: pirated games. And it may not take long for the exploit to get "better" in that the security of the Blu-Ray device could be compromised. Which would hurt Sony, too, since they pretty much control this technology and benefit from the byzantine technology licensing scheme.

The kind of security Sony's engineers tried to implement in the PS3 can only succeed in buying time before a successful security compromise will have a noticeable impact on the market which the device was created for. What is shocking about the security failure presented at 27C3 is both in how inadequate the security architecture of the platform actually is, and in how little time it actually bought Sony. They have barely succeeded at making the PS3 profitable, and the jury is still out on whether the Blu-Ray platform will ever be profitable before other technology succeeds in eclipsing it (e.g. online streaming).
« Last Edit: December 31, 2010, 10:24:09 AM by olsen »
 

Offline dammy

Re: PS3 security is "epic fail"
« Reply #43 on: December 31, 2010, 11:44:11 AM »
Quote from: nicholas;602773
Self signed homebrew is now possible after the PS3's private keys have been cracked.

AROS for PS3 anyone? :D

http://psgroove.com/content.php?581-Sony-s-PS3-Security-is-Epic-Fail-Videos-Within&


I guess we will also see the calls for OS4 to be ported now that the PS3 has been cracked? ;-)
Dammy

https://www.facebook.com/pages/Arix-OS/414578091930728
Unless otherwise noted, I speak only for myself.
 

Offline ciento

Re: PS3 security is "epic fail"
« Reply #44 on: December 31, 2010, 11:45:08 AM »
Quote from: olsen;603004
The term was used by the researchers who presented it at the 27C3. I've just seen the entire presentation, and I can understand why they called it "epic fail".
.
:lol: By removing otheros, sony poured gasoline on themselves,
then challenged the linux coders to a duel using flamethrowers. :roflmao:
Can't get much more epic than that!