Tag: drm

Sony – Suing GeoHot won’t put Pandora back in the box

2 Comments

So the JIG is up, and thanks to fail0verflow and GeoHot, the PS3 is well and truly hacked. And it seems likely that more than one person has been fired from Sony; their security model is so comprehensively broken in it’s design that there is very likely no comeback without changing the hardware, and that will not do anything either as now the private keys have been released.

In cryptography, there are a set of keys used for encryption. Simply, signing and encryption involves two keys. These keys are twinned; each half can encrypt, and only the other half can decrypt. Yet the keys are distinct – someone can know one of the keys and still be helpless.
In PGP signing, and in console cryptography, one key is the public key, and the other is a private key. The public key is built into the console, and the private key is in a safe at Sony. Sony sign every executable with their key, and the PS3 verifies that it is valid by using the public key, which as the name suggests, is often known.
Mathematically, if this is properly implemented, it is almost unbreakable. Unfortunately, Sony messed up. See, the equation would easily be broken if many files were signed identically, as the differences could be eliminated and the key calculated. So, the encryption uses a random number in its equation; the number is changed with each executable to be signed. This simple step is one of the basic and most important parts of the security. Fail. Sony’s idea of a random number?

4. Four. Quatre. 5-1. Whatever number. FOR EVERY EXECUTABLE.

So, with only two sets of files, the random variable in the equation can be eliminated and the keys calculated.

Since this was done on one part of the Sony OS, it’s expanded to all of the parts; the master keys are all over the Internet! And this key means that anyone can sign their PS3 programs, and the PS3 will just think it’s from Sony! The person doesn’t even have to have ‘jailbroken’ their PS3!

Sony’s response is to sue fail0verflow and GeoHot – yet the key is everywhere. This key has signed every PSN software so far. So Sony can’t even revoke the key in an update without breaking all the legitimate software so far. Worse still, the total breaking of the security means that with digging, people have discovered Blu-Ray and PSP master keys too!

Too late to sue, Sony. The secret is out. The number 4.

Peace, out!

 

(Note – Apparently the number in itself wasn’t 4, this was an example however given by the failoverflow team, hence originally quoting here. The point illustrated is the same – they used the same ‘random’ number in multiple places, a grave mistake)

Categories: software security

Tags: , , , , , , ,

Pre-owned Gamers – THQ Hates You

No Comments

Pre-owned games have long been a controversial area of modern gaming. Now, some developers, such as THQ, are putting the fingers up to the pre-owned market.

It’s like this – if you walk into a store and buy a pre-owned game, you give zero money to the company that made the game:
Gamestop buy a copy of Final Fantasy XIII from Square Enix, imagine it costs them £15. Square Enix gains £15. Gamestop sell this game, new, to you for £40. Gamestop are now £25 up.
You return the game, and they give you £15 for it. Gamestop are still £10 up.
They sell this game, used, for £30. Gamestop are now £40 up.

THQ
They hatin' - THQ are among the first developers to start with restrictive DRM that prevents reselling

See how profitable pre-owned can be for the store? Yet, in the example, Square Enix only benefit from the initial £15.

Now, you might say that when people trade in games, they spend this on more games. A perhaps valid counter-argument.

Now, let’s get back to the news… developer THQ has said that it’s upcoming title “Smackdown vs. Raw 2011” will feature a one-time code in the box, and without activating this one-time code, online play is locked out. You also get the first DLC free. The most newsworthy part of this story is, THQ ‘doesn’t care’.

That’s according to Cory Ledesma, an employee of THQ, who said “loyal fans” who are interested in buying the game first-hand are the priority:

“I don’t think we really care whether used game buyers are upset because new game buyers get everything. So if used game buyers are upset they don’t get the online feature set I don’t really have much sympathy for them.”

“That’s a little blunt but we hope it doesn’t disappoint people. We hope people understand that when the game’s bought used we get cheated,” he continued.

“I don’t think anyone wants that so in order for us to make strong, high-quality WWE games we need loyal fans that are interested in purchasing the game. We want to award those fans with additional content.”

EA were perhaps the first ones to test such a system, using “Online Pass” on its sports games. It similarly requires gamers to enter a one-time code for in-game content.

I understand the situation of the developers. Yeah, they are essentially losing money to the retaillers, who are taking advantage of the situation. However I have a few big problems with these plans.
Firstly, I am very disillusioned with the recent trend of giving ‘new’ buyers a code that allows ‘DLC’ when in fact that DLC is already on the game disc, just locked out. I also dislike the current trend that DLC is created for short games, expanding them to what I consider a ‘normal’ level, and that we have to pay for this ‘privilege’. Online play is similar to this.
Next, perhaps giving ‘new’ buyers some exclusive content is ok, but just plain DISABLING part of the game (online play) is dirty. A lot of buyers won’t even realise that if they buy this game pre-owned, it won’t work AS ADVERTISED.
What happens if my Xbox dies? I buy a new one… but what happens to the code? It was locked to that Xbox…
My big worry is the future. This is the next step in a more and more locked down digital world, and in fact this might hinder our culture. I can only imagine if the same measures were in some of the games I remember from my youth, which you can still get from eBay or other places, for retro and long dead consoles. I love old games too, my Sonics and Chaos Engine, etc. Will future generations be able to enjoy this game once the publisher stops manufacturing / goes bankrupt?

More and more, we don’t own digital property, we ‘rent’ it. And this is just a reminder that the company you ‘lease’ it from can take it away from you any time it likes. I can’t help but draw parallels to the music industry, who cry and wail about losing money in piracy etc yet still turn record profits… How much do you value cash over customer good-feeling, digital industries?

Interestingly, with a bit of clever work, I am already tricked into a similar situation with Steam. But I guess there I never had any expectation of being able to resell my games, and Steam value their customers, and have great deals without restrictive DRM. I can also always re-download everything as long as Valve exist.

My message to THQ and other developers is this: Stop punishing the customer – he will just stop buying from you. Put the squeeze on retaillers to give you some profit. They don’t like it? Tell them you won’t give them distribution rights to your games at all. I’m sure they will comply.

Peace, out!

Matt

PS – Surprise surprise, the masters of DRM, Ubisoft, are said to be ‘very interested’ in a similar approach.

Categories: games

Tags: , , , , , , ,