"This arrogance undermines a basic security principle, never trust the client. [...] Notice it's only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren't crazy."

"[...] To me, a hacker is just somebody with a set of skills; hacker is to computer as plumber is to pipes. And the same ethics should apply, if you want to mess with the pipes in your own house, go for it. But don't go breaking into people's houses and messing with their pipes."

"You're the perfect example of someone who can't even grasp the simple concept of how YOUR actions have consequences for OTHER people. If Sony wanted to remove Other OS that's up to them, people like you and George should have just dealt with that. Instead like children you have this sense of entitlement and so the PS3 was hacked and root keys published. No thought was given to how this would be used by other people, all that crossed your tiny little minds was how this affected YOU."

http://geohotgotsued.blogspot.com/2011/04/recent-news.html?s...

You see people become inoculated by all sorts of kooky ideas (usually offering salvation or universal insight), but to see people get their mind twisted around some faceless video game company... the mind boggles...

I know people like to make fun of Mac and Android fans but some playstation fans took it way too personal.

To use an analogy, Sony's system seems to have been designed like a a car that starts with a push button, no key required. It's assumed that you'll never be able to start it without being the owner because you would have to open the door first. George, being the owner of one of these vehicles, figured out how to get into it without using his keys (in case he ever locked himself out), then people took that information and used it to steal these cars, because once you can open the driver door, there are no additional security checks (like an ignition lock) to prevent the car from being stolen.

I agree with Geohot that Sony's mindset of security extending to the console is broken. But let's put it in perspective: for CC#s and passwords this is little different than an https website and customer-side browser. Sure, if you hack your console, you can set up a MitM and observe your own personal details.

It's possible that this helped to enable their backend breach but we don't know that yet.

There are very few designs in common use that can survive the compromise of an endpoint.

The idea that expecting a product you buy to have the features it was described by the seller as having is a "sense of entitlement" seems pretty kooky to me. We can't have a functioning market like that.

I wonder if he's purely speculating or maybe knows something more. It's also good to see he can at least still talk about Sony security in general (or can he?)

Do you mean they should have pre-encrypted the CC number before encrypting it again in the standard SSL transaction?

Would that have helped? Because if the PS3 knows how to encrypt and you own the server, decrypting is as trivial as just looking at the plain text

For people who don't own the server and are listening in SSL is enough and for people with access to the server neither SSL nor any other encryption is enough.

They have done a lot of things wrongly, but this IMHO is not one of them.

You are wrong; They could have done that. That's the whole premise of public key cryptography (google/wikipedia if you are not familiar). It's possible, (and easy) for the client to encrypt something that a client cannot in general decrypt, nor can anyone else without the decryption key. And it is actually a good idea to not put the decryption key on the server you talk to - only on a server that actually talks to the payment gateway.

> And how would you use that hashed CC number on the server? Unhashing (impossible)? Send the hash to the CC company (good luck)?

Many credit card processors let you do something similar - i.e. you register the CC details once, get a "reference id", and then use that reference id to charge. I'm sure Sony could have used one of them if they cared.

> For people who don't own the server and are listening in SSL is enough and for people with access to the server neither SSL nor any other encryption is enough.

That is true. However, that is just one facet that needs defense, and one that has had almost no attacks in the last 5 years -- because SSL (if practiced correctly, which it rarely is) solves that problem, and attacking the server is usually easier than listening on the pipes.

> They have done a lot of things wrongly, but this IMHO is not one of them.

Everything they have done about this is wrong. And the fact you think they didn't, implies that you shouldn't be working on systems that have any sensitive information in them. I sincerely hope you don't, for the sake of your users.

And that's exactly how your typical SSL/TLS handshake works.

The problem is how does the client know he's encrypting to the correct public key? He has to have something stored giving him the key in advance or telling him how to authenticate the public key he's asked to use.

This is how the protocol messages were decrypted. The hackers modified their own console to trust a new public key, one to which they had the private key.

True.

> The problem is how does the client know he's encrypting to the correct public key? He has to have something stored giving him the key in advance or telling him how to authenticate the public key he's asked to use.

True again. In the SSL/TLS, this is the "trusted roots" certificates, that the browser was created with.

Why wouldn't the PS3 have a "trusted root" as such?

> This is how the protocol messages were decrypted. The hackers modified their own console to trust a new public key, one to which they had the private key.

Cool. But that doesn't let them decode _other_ clients' transmissions -- much like putting a new root certificate in your own browser doesn't make a session less secure for anyone else.

Sony made many mistakes here, most of them due to either extreme hubris or extreme incompetence.

My understanding is that they have a trusted root store like any browser. Probably revocation doesn't work so hot either.

The certs presented by a couple of servers I looked at were issued by Verisign and Comodo. https://www.ssllabs.com/ssldb/analyze.html?d=auth.np.ac.play... https://www.ssllabs.com/ssldb/analyze.html?d=store.playstati...

But that doesn't let them decode _other_ clients' transmissions -- much like putting a new root certificate in your own browser doesn't make a session less secure for anyone else.

Right, we don't know that's happened yet, except we hear that Sony's backend systems were compromised too. That could be completely unrelated, or the client and server hacks could combine in a way that makes every PS3 compromised. I find it an interesting question but we probably have to wait for more details from Sony.

This is, for example, the md5-hash of my credit card number with "salt" prepended: 8cc8f5b89ae1ce45a8efce26c88b69e7.

Now good luck doing anything useful with this.

My point was just that it's totally fine to rely on SSL for securely transmitting the credit card number. There's no need to encrypt twice and salting isn't possible.

Storing the numbers (or, as you say, authorizations) is something else I a) know nothing about, b) wouldn't want to have to do (see a) and c) didn't comment about.

It should be feasible to hash a whole bunch of credit card numbers looking for a hash collision, especially when the first four digits depend only on the card type and the last one is a check digit or something. I'd have to look up the details, but that leaves me with just over a billion things to hash?

This is roughly the way password crackers work, incidentally. And why they keep telling people to use slow hashes, like bcrypt.

The initial transaction cannot be a reference transaction. You have to actually send the CC number to the gateway for that first transaction.

I've not seen such a protocol for sending CC#s from the browser before.

Who is this kid? He's like 20 years old and he talks like this? Geohot, you have my respect thats for sure.

"To me, a hacker is just somebody with a set of skills; hacker is to computer as plumber is to pipes. And the same ethics should apply, if you want to mess with the pipes in your own house, go for it. But don't go breaking into people's houses and messing with their pipes. (Note that I do not endorse water piracy)"

Sony's statement for reference: http://blog.us.playstation.com/2011/04/26/update-on-playstat...

On The Media did a piece a few months ago about how the 1982 Tylenol recall is pretty much the gold standard for corporate disaster PR: identify the problem, apologize, and explain what you're doing to prevent it in the future. It's not hard, but it takes guts. Even J&J itself didn't meet that standard in later recalls. http://www.onthemedia.org/transcripts/2010/02/12/01

From the point of view of some people: "It's the Playstation Network, obviously you have to use a Playstation to get on the Playstation Network. You can't use a computer, they aren't compatible!"

I can't come up with a direct analogy for a similar lack of comprehension, but I keep thinking of the apocryphal stories of people that lock themselves out of their cars with the windows down, and freak out because they don't think of reaching through the window to unlock it manually.

Nevertheless, Sony seemed to assume that it guaranteed they would only receive valid messages from actual hardware they controlled. This is not a security feature of SSL/TLS which depends on the client doing its part to prevent the absence of a man-in-the-middle.

When the client was hacked, many of their assumptions were violated. We hear rumors of hackers "mapping" their systems onto some internal development networks. What this means exactly I don't know.

But if Sony's primary network defenses were the Maginot line, their dev network probably looked a lot like Belgium.

http://www.youtube.com/watch?v=btDiX319P4w @ around 8 minutes in

More information: http://www.google.com/support/youtube/bin/answer.py?hl=en...

It's a real shame that Sony alienates their customers with these kinds of acts while building a flimsy infrastructure for gaming. I'm one of those people who bought the PS3 just for OtherOS(and thankfully never got the removal patch) and honestly, given the lackluster performance it has and this move, I'm highly tempted to just sell it. The rootkit debacle of several years ago still leaves a bad taste in my mouth.

Today's Penny Arcade covers it quite nicely: http://www.penny-arcade.com/comic/2011/4/29/

Definitely enough to pay for one lawyer for several minutes against Sony.

http://www.ultrasn0w.ca/2011/04/geohot-donates-10000-to-eff....

When hackers come along having the goal of running their own OS on the PS3 or even restoring the ability to run as a guest of the hypervisor (OtherOS), many players don't see the difference. Probably any research into the inner workings of a PS3 has the potential to benefit cheat development as well, but I for one do not accept the idea that we would turn off our inquisitive nature and forgo our home supercomputers so that others might gain a more fair killing field.

But I think you need to respect the opposing viewpoint: that supporting OtherOS actually isn't worth the risk of new cheats for a lot of people. It is a game console after all.

* It's not a "game console" by definition. It's a box with semiconductors inside it which I can purchase for a few hundred bucks at any of many local stores. These semiconductors are equally well-suited for doing vector calculations in support of many applications, frivolous and serious alike.

* It's simply a mistake to think by not "supporting OtherOS" it will significantly reduce the "risk of new cheats" in anything but the very short term. OtherOS is happening whether it's supported or not. That's probably true of cheating too.

* But that's not even what Sony did though, Sony actively removed OtherOS from units people had previously purchased, and only then _after_ it had already provided its (relatively small) boost to hackers.

The idea of keeping secrets locked in a box that millions of people purchase and physically control is simply ludicrous and has failed every time it's been tried.

Job of what? Locking up secrets in a box?

How many days out of the last year was the iPhone not jailbreakable without even opening the box?

And to be fair, the Dreamcast was about as open as a 7/11, but that didn't fair too well for Sega.

A. Reality does not owe us a successful business model. Thus even if we accept Sega as an example of a failed open console, it says nothing to imply that a closed-console model is a viable idea.

B. Disbelieving (A) is usually a quick route to failure. Apple is good at getting its customers to accept unreality, but does a pretty good job of understanding the reality for itself. (Perhaps this is why they react so violently to cracks in their reality distortion field.) Often companies begin to believe their own reality distortions with disastrous results.

C. The vast majority of businesses fail anyway and the console industry is particularly competitive. Like Nokia in reverse, they recognized their own ability to make a business out of hardware systems and remained alive in a different market (hedgehog simulator software). If they knew they were the weakest player in a market that would only support a limited number of systems, would a more-closed architecture really have saved Sega consoles? What if they had started making open-architecture DVRs or home theater PC boxes instead?

The best I can muster. Being a fan at the time, I tend to follow the "it needed more third party support" and "Sony lied/"used false PR" (which seems oddly more acceptable) to hype the PS2 into unrealistic levels" lines of thought. Particularly the latter, claiming video as "gameplay."

You really get the sense that success in that business (at least at that time, in the minds of the executives they interviewed) is about everything except delivering the best possible value to the customer.

It truly makes me wonder sometimes about the person on the other end of the keyboard when this kind of personal data breach is written off completely, laughed at as no big thing. I mean, I don't even have a PS3 or PSN account (waiting for Team Ico's next game,) but I can tell it isn't "nothing."

Really want to be disappointed in gamers? Google Image search "Modern Warfare 2 boycott".

Maybe my perspective is warped, but I feel like the original meaning of "hacker" is gaining popularity lately. "Hackathons" have made their way into the media thanks to Facebook and Zuckerberg. And of course PG's writing and "Hacker News" are somewhat well known in the tech and startup circles.

Still it's far from the mainstream meaning. In some ways it's cool that it's not, it's almost like a secret handshake. If you know what I mean when I say "hacker" I have a little extra bit of respect for you.

Although I agree that "hacker" has a new meaning (and has for a long time), much like how the LGBT community adopts otherwise derogatory terms, I don't think we should stop using "hacker" because of outside influences; the actual meaning implied (coder or script kiddie) is often obvious thanks to the context it gets used in (CNN using "hacker" in a news title is different to when Joel Spolsky uses it, for example).

    Thaumaturgy is the capability of a saint
    or magician to work miracles. A practitioner 
    of thaumaturgy is a thaumaturge or miracle worker. 

To me, a "hacker" is someone who is involved in finding ways to get systems to perform in a manner outside the intention of its design. E.g., hotrodders could be considered car hackers.

It's not specific to the coding field.