Sony – Suing GeoHot won’t put Pandora back in the box

2 Comments

So the JIG is up, and thanks to fail0verflow and GeoHot, the PS3 is well and truly hacked. And it seems likely that more than one person has been fired from Sony; their security model is so comprehensively broken in it’s design that there is very likely no comeback without changing the hardware, and that will not do anything either as now the private keys have been released.

In cryptography, there are a set of keys used for encryption. Simply, signing and encryption involves two keys. These keys are twinned; each half can encrypt, and only the other half can decrypt. Yet the keys are distinct – someone can know one of the keys and still be helpless.
In PGP signing, and in console cryptography, one key is the public key, and the other is a private key. The public key is built into the console, and the private key is in a safe at Sony. Sony sign every executable with their key, and the PS3 verifies that it is valid by using the public key, which as the name suggests, is often known.
Mathematically, if this is properly implemented, it is almost unbreakable. Unfortunately, Sony messed up. See, the equation would easily be broken if many files were signed identically, as the differences could be eliminated and the key calculated. So, the encryption uses a random number in its equation; the number is changed with each executable to be signed. This simple step is one of the basic and most important parts of the security. Fail. Sony’s idea of a random number?

4. Four. Quatre. 5-1. Whatever number. FOR EVERY EXECUTABLE.

So, with only two sets of files, the random variable in the equation can be eliminated and the keys calculated.

Since this was done on one part of the Sony OS, it’s expanded to all of the parts; the master keys are all over the Internet! And this key means that anyone can sign their PS3 programs, and the PS3 will just think it’s from Sony! The person doesn’t even have to have ‘jailbroken’ their PS3!

Sony’s response is to sue fail0verflow and GeoHot – yet the key is everywhere. This key has signed every PSN software so far. So Sony can’t even revoke the key in an update without breaking all the legitimate software so far. Worse still, the total breaking of the security means that with digging, people have discovered Blu-Ray and PSP master keys too!

Too late to sue, Sony. The secret is out. The number 4.

Peace, out!

 

(Note – Apparently the number in itself wasn’t 4, this was an example however given by the failoverflow team, hence originally quoting here. The point illustrated is the same – they used the same ‘random’ number in multiple places, a grave mistake)

Categories: software security

Tags: , , , , , , ,

The War for the Internet

8 Comments

You must be living under a rock if you haven’t heard about ‘Cablegate’ – the continuing saga of USA, WikiLeaks, Julian Assange, Anonymous, TheJester, the list goes on. A quick summary of the situation follows, and some analysis and knock-on effects as I see them.

WikiLeaks is an anonymous whistle-blower organisation – ‘wiki’ being that anyone can contribute, similarly to Wikipedia. WikiLeaks stopped this ‘free edit’ policy a while back as it was too hard to manage, but set up a system for people to anonymously submit secrets. Now, we aren’t talking about how you’re the one stole your neighbour’s gnome here; we’re talking big things – governments, corporations, groups etc.
A while back, WikiLeaks released a multitude of material on the Iraq war, including video of US chopper pilots and soldiers shooting at a bunch of civilians, journalists and children. Ever since, the US has been on a slow burn – make no mistake, they hate WikiLeaks in the US Government. It’s very clear.
Cablegate has pushed the US to breaking – it is the simultaneous release of hundreds of ‘cables’ i.e. little notes or snippets from US ambassadors, representative and more. They are retained by the government and access is restricted but the cables are NOT classified. The contents range from little observances on foreign policitians, to records of orders from Hilary Clinton to collect intelligence, DNA, biometrics and more on foreign UN ambassadors. It also sheds light on the relationship between nations.

The US Government knew about the planned release and had worked hard to mitigate the damage but there will obviously be fallout, and perhaps a loss of trust between nations, spies, ambassadors and so on. And that’s when things get silly…
The Americans are taking things out firmly on Julian Assange and WikiLeaks. I have a number of problems with that. Firstly, they are spouting a line of “This will cost lives” yet have admitted that the information has, thus far, neither been damaging nor has placed anyone at risk. They have also called to name WikiLeaks a ‘terrorist organisation’

WHAT? WikiLeaks a terrorist organisation? Or from Sarah Palin, who called that Assange be designated a terrorist and that US Special Forces move in and assassinate him? What is WRONG with the USA???

I know that every government, to a greater or lesser degree, involves themselves in this kind of stuff. But what they all have to realise is that information flow is greater now than it ever has been. When something occurs, everybody knows in seconds. And I’m sorry, but governments need to rethink themselves – this stuff WILL out, and in this age everybody WILL hear about it. So it’s time to STOP. If you don’t want to be damaged by a leak, stop doing crazy, morally ambiguous, evil, terrorising stuff.
“Oh, but the UK does it too, they all do” – Yeah, I bet. And it’s in YOUR name. Is ignorance bliss? You don’t care as long as nobody finds out? Bullshit. I don’t want this stuff done in my name.

Moving on to Assange. I don’t know the ins and outs of his accused crime, but all the coverage I’ve seen suggests that the allegations have some serious flaws, mostly in the two particular girls. They seem to have decided it was non-consensual AFTER they found out he was two-timing them. So, he’s a dick, but hardly rape. However, Sweden has odd sex laws such as “I was drunk therefore it was rape” kinds of allegations. I personally think these are damaging on the whole to the victims of rape.
I hope that the US did not put pressure on Sweden to continue to pursue allegations that had TWICE been rejected at appellate courts, but I’m willing to bet they did. At the same time, PayPal, Visa, MasterCard, SwissBank, Amazon, EveryDNS… they have all cut their ties with WikiLeaks for various reasons. This has severely hurt the funds of WikiLeaks. The only one to actively admit that it was pressed by the US was PayPal, who said that the “State dept. informed us that they were involved in illegal activities”.

So yeah, forget courts, burden of proof, justice. PayPal doesn’t care. I’m willing to bet the story is similar to the rest. What exactly has America got to hide?

Enter TheJester and Anonymous. TheJester is some absolute juvenile cunt who, prior to this, was presumably in the US army serving in the Middle East. He calls himself a “hacktivist fighting for good” when really he is a patriot. And you know, I use that word now without even thinking of the presumed “I love my country” bullshit. When I hear patriot I think of a stupid, blind, puppet of an American. The ones that blindly follow the whim of the government or their leaders for some delusion of national pride. TheJester also seems to be some sort of programmer, though I suspect his programming experience is average. He seems to have ‘adapted’ (plagiarised) a program called SlowLORIS to make XerXes, a DDOS (Distributed Denial Of Service) program that routes using Tor, the onion network, for anonymity. He has used his software in the past in order to DDOS ‘jihadist’ websites. A noble cause maybe.
Now he has turned on WikiLeaks. Yet, his failings became evident very quickly; mere hours after egotistically declaring “TANGO DOWN” on his twitter the WikiLeaks site was back. And this guy has himself an enemy.

Anonymous have waded in, in the name of Internet openness and freedom. And they have launched Operation:Payback, and it has been working fantastically! They have their target list of all those who betrayed WikiLeaks, and have been attacking as a group; today, MasterCard has been down.
Anonymous are a force and one you do not want against you – they have no head, only teeth. They are generally morally guided to causes, and while sometimes dicky, I think they are an important bunch. Those who do not care that their methods are illegal, they are vigilantes and rioters. But sometimes you need such people to effect great change.

So, in what could be the first Internet War, who are the players?
WikiLeaks and their ally Anonymous fight for a free internet and world.
USA government (and others), their foot-soldiers (TheJester) and their subservient corporations fight for their own ends.

This won’t be a war that you know when it ends. But it could fundamentally change the internet, and it some ways it already has shown me one thing. Companies control too much of the Internet for my liking. Amazon, Ebay, Google, Microsoft, Facebook, PayPal… the list goes on. And as long as these entities have no moral centre of their own and will do whatever the US tell them to, the Internet is at risk. They want WikiLeaks shut down because its not under their control, and that scares them. Bastards, that’s all I can say. USA always has the approach of policing the world, and always to its own ends. The line stops here; the Internet is NOT yours to police and there are those who will fight to keep it from you.

In summary; go WikiLeaks, go Anonymous, go fuck yourself USA. Hypocritical, paranoid monsters with some severe entitlement issues.

I know which side I’m on, have you chosen yours yet? The time may soon come where your voice needs heard, not just in disapproving comments in the pub, work, online comments, but instead on the streets – it is the only thing they will listen to.
It is time that governments started doing what their masters tell them; that’s you and me.

UPDATE: Anonymous has now taken down Visa

Categories: current affairs politics software security

Tags: , , , , , , , , , , ,

Vapourware – Like a Needle in a Haystack

No Comments

Vapourware describes a product, usually software, that has been announced by a developer during or before its development, if there is significant doubt whether the product will actually be released. It is software which at best is still in development, and at worst is no more than an interesting concept in the mind of someone at the organisation. Vapourware is sometimes announced with great fanfare as a spoiling tactic to hurt sales of a competitors already launched product.

Maybe you don’t know, but in many parts of the world the internet is not free. It is not open. Many countries have, or are considering, filtering the internet. The reason for this is always cited as “protecting the public” or even just “child porn” (‘Think of the Children!’ defence). Make no mistake; filtering the internet is a bad thing, and it is coming to a country near you – the USA, Australia and UK are both considering ‘net neutrality’ bills, and the continued tightening of digital rights (think the Digital Economy Act) pushes us one step closer to a constrained internet, an internet which is no longer the last true bastion of free speech.

…but this article isn’t about that. This article is a warning. Vapourware. The definition is above. So, Matt, why did you launch into a tirade against internet law? Well, because the people of the world have been had; specifically the people of Iran. I’m talking about ‘Haystack‘.

Haystack was a fantastic story. The myth – a young, bright, entrepreneurial and morally-guided man, Austin Heap, heard the suffering of the people of Iran, and developed an encrypted proxy network, one which would bypass the filtering imposed upon the innocent Iranian people.
The fact – no software officially released to date; the beta has leaked to many Iranians but is full of basic security holes. Despite much money donated to the project, it fails and in fact risks the security of millions of Iranians, both online but also from state police.

Austin Heap, the creator, was being lauded in the press, with absolutely no software credentials to back this up. He conjured false hope about a solution better than any currently available. He even claims that Haystack is better for privacy than the Tor onion network. He refused outside, open-source development, under the guise of preventing the Iranian authorities from breaking his system. However, when the executable finally found its way into the hands of some reputable software programmers, it was clear that the product was just not what it should have been (link is to Danny O’Brien’s twitter feed. He also wrote an article about Haystack here). Even their main developer resigned.

Austin Heap was quoted as saying:

“I hope we are ready to take on the next country. We will systematically take on each repressive country that censors its people. We have a list. Don’t piss off hackers who will have their way with you. A mischievous kid will show you how the Internet works.”

I think he fell victim to his own hype, and his own motto.

A lesson indeed in the dangers of getting wrapped up in an idea. I doubt that the Dragons from Dragon’s Den would have invested in his idea. An idea is NOT a product, not a result. Ideas are easy; the idea of creating a proxy system for repressed regimes is an easy idea. The reality is all the steps in between, the lives you are risking along the way, the code and its robustness. One error can spell doom, and it seems for Haystack, this might have happened.

So… Diaspora anyone? Yeah, this is still vapourware. Diaspora purports to be a better Facebook – fixing the much-maligned privacy concerns in Facebook, removing the trash, making it clean. You can host your own Diaspora network, with its own look and feel, but all the Diaspora networks can interact and share information in a controlled way. And, yet again, it was hyped to an insane degree, raising hundreds of thousands of dollars in funding, for a mere idea.

Even at the time of announcing I was dubious. Now Facebook is everywhere, it is tightly integrated into so much of the web at the minute. Diaspora might now be a step backwards. Heck, Facebook might even be getting into the phone OS game now. But Diaspora has now released the first elements of its source code. It at least has one advantage over Haystack – it is open-source. Bugs and problems can be fixed by the internet swarm. But, so far, it has more problems than fixes.

Diaspora may still come out clean in the wash. Haystack, doubtful. The point is, don’t pay people for an idea. Or at least, if you are going to pay someone for an idea that won’t happen, pay me. But don’t get your hopes up on software that might never materialise. And, Austin Heap, don’t get up the hopes of an entire country, and don’t release to them insecure software that might end up getting them in severe trouble for using it.

Peace, out!

-Matt

Categories: current affairs featured software security

Tags: , , , , , , , , , , , , ,

Samsung Removable Hard Drive; Don’t Matter If You’re Black or Gold

No Comments

Following up on my review of the SkyDrive service, I thought I’d review something I purchased recently. Is it the most tacky gadget I own? Possibly. But, it is the cheapest 500GB external hard drive I have seen.

Ladies and gentleman, I give you Michael Jackson!

What possessed me to buy it, you might ask? Well, blame the other physics nerds – one found it, and the great deal got emphasized to everyone… Now like 8 people in university own it. It really is that fucking good a deal, at £38 with free Amazon delivery, that is under 8p per gigabyte.

MJ HD
Tacky indeed. But price beats style, especially since you get a free slip-case!

Why so cheap? Well… if my sources are to be believed, they are hitting rock bottom in high streets too. It seems that people are in fact put off by the hideous gold plastic cover, and not at all swayed by the included digital movie of ”This is It”. Maybe I would watch it if it wasn’t horribly DRM’ed… no, actually I probably wouldn’t.

Ok so perhaps some actual information. The drive is Samsung, and of course has a usable capacity of less than 500gb due to the on-going nonsense where they measure a gigabyte in their own imaginary scale where gigabytes are 1000 megabytes, which are 1000 kilobytes etc. In the real world the rest of us know that bytes work in 1024s, or 2 power 10. Don’t we have advertising laws?
The casing itself is cheap in look and feel. It is a crap plastic, with a distinctly 90s kids toy texture on the black back. I’m not at all worried about the back though on appearance, the front kinda removed visuals as a concern. I should say that you do get a Samsung black sleeve that the drive fits in and can be used in, eliminating visual concerns.
You also get a shortish usb cable, perfectly adequate. It doesn’t require a secondary power cable or usb.
The drive is also small enough to easily slip into a pocket.
It comes with some software for backing up and security, but personally I recommend forgetting about it and just getting PortableApps.

I don’t know what more to say really. The drive won’t win any awards; it isn’t the fastest, or the most pretty, but its quiet and small, portable and cheap. Did I mention cheap? Yeah, hard drives are continuing to get bigger for less money but this really is cheap. If you are looking for a cheap way of backing up, storing, moving, data, this is great.

Just don’t expect people to react well to the look. Could be worse, they could think you’re a paedophile or something…
…Sorry Michael, but it was too obvious to pass up!

Pros:

  • Cheap
  • Quiet
  • Large capacity
  • Needs no extra power cable

Cons:

  • Gold
  • Michael Jackson

Check out the product at Amazon!

Peace, out!

Matt

UPDATE: Price is now back up to £50!

Categories: reviews technology, games and gadgets

Tags: , , , , ,

Windows Live Essentials Review – Sky’s the 25GB Limit!

No Comments

Did you know that a new version of Windows Live Essentials is on the way? Well it is, and the beta is already available for free download.

Live Essentials contains a load of programs, including Mail, Movie Maker, Family Safety and more. I don’t use these however 😉 and so I’m sorry! I will be reviewing Messenger, Outlook Connector, Sync and SkyDrive.

There’s lots to discuss here – the new version of Messenger for example is substantially different to your old version, but as you will see, it’s a lot better.

On with the review then, and let’s leave Messenger to the end. We’ll start with Outlook Connector, which is pretty simple. Have you noticed how these days all your social networks talk to each other, authorizing each other to see this and that data? Well Outlook Connector is a plugin for, strangely, Outlook. It allows you to add Facebook, Live Messenger, Linked In, and MySpace to your Outlook, and it will link up all your contacts or get you to do it.
What does this give you? Outlook gets a brand new ‘People Pane’ where you can see recent emails and social network info from your contacts. Simple but nice. I tend to be a little OCD so I like everything to be tidily linked.

Now onto Sync. For me, this is a dream. It’s a little app that runs on startup, and it allows you to associate each PC you use with your Live account. Live keeps track of any PC running Sync and can keep folders and program settings synced between the two. It’s remarkably fast, detecting changes instantly and updating the other PCs. It also stored these files optionally on the special 2GB ‘Synced Storage’ SkyDrive; this is not part of the 25GB I will discuss in a minute, it’s extra!
Sync also has one unobvious function. It has a brilliant remote control function, allowing you to finally, seamlessly control one PC from another in a secure way using your Live account. Once the particular PC is enabled for remote access Sync its done!

Finally Live Messenger. Well hold on guys. It’s now much bigger looking and more useful in this modern age. Facebook integration. Yes, Messenger now incorporates a social feed, taking your social feeds from Live and Facebook and combining them into a nice interface. Additionally, the chat now allows you to chat on Facebook Chat too. Useful.
The chat window has had an overhaul too. New drawings for emoticons, and the ability to share files stored on your SkyDrive such as photos are here.
Oh, and ‘block’ is now just called ‘appear invisible to’ lol

The title mentioned 25GB. So time for SkyDrive. You probably have heard of online cloud storage before. Meh, right? Well, reconsider. Hard drives in your PC don’t last forever. Any freak error, flood, fire, theft, crash and your precious memories, gone. And with Microsoft now giving every user 25GB of free storage, you have no excuse. It even links with their new Photo Album app.
I recommend using something like SDExplorer, which allows you to mount your storage as a drive on your PC, giving you traditional explorer functions. Be warned however that this app has horrendously slow transfer speeds.

Well, in summary:

Pros:

  • Finally a modern set of Windows apps
  • Facebook integration is nice in Outlook and Messenger
  • Sync tool is the best of the lot – sync all my uni and PC stuff, and also allow remote control
  • SkyDrive storage now has all my photos backed up and safe
  • Beta seems bug-free to me

Cons:

  • Messenger is much less minimalist (at least by default) and some may not like this change
  • Lacking in other social network integration in Outlook and Messenger (e.g. Twitter)

I am actually pretty impressed, visually it all fits nice with Windows 7  and the apps themselves (at least the ones I reviewed) are great.

N.B. – I can’t vouch for the other parts of the Essentials Pack!!!

Peace, out!

Matt

Categories: featured nerd stuff reviews technology, games and gadgets

Tags: , , , , , , , , , ,