Tag: hacking

Sony – Suing GeoHot won’t put Pandora back in the box


So the JIG is up, and thanks to fail0verflow and GeoHot, the PS3 is well and truly hacked. And it seems likely that more than one person has been fired from Sony; their security model is so comprehensively broken in it’s design that there is very likely no comeback without changing the hardware, and that will not do anything either as now the private keys have been released.

In cryptography, there are a set of keys used for encryption. Simply, signing and encryption involves two keys. These keys are twinned; each half can encrypt, and only the other half can decrypt. Yet the keys are distinct – someone can know one of the keys and still be helpless.
In PGP signing, and in console cryptography, one key is the public key, and the other is a private key. The public key is built into the console, and the private key is in a safe at Sony. Sony sign every executable with their key, and the PS3 verifies that it is valid by using the public key, which as the name suggests, is often known.
Mathematically, if this is properly implemented, it is almost unbreakable. Unfortunately, Sony messed up. See, the equation would easily be broken if many files were signed identically, as the differences could be eliminated and the key calculated. So, the encryption uses a random number in its equation; the number is changed with each executable to be signed. This simple step is one of the basic and most important parts of the security. Fail. Sony’s idea of a random number?

4. Four. Quatre. 5-1. Whatever number. FOR EVERY EXECUTABLE.

So, with only two sets of files, the random variable in the equation can be eliminated and the keys calculated.

Since this was done on one part of the Sony OS, it’s expanded to all of the parts; the master keys are all over the Internet! And this key means that anyone can sign their PS3 programs, and the PS3 will just think it’s from Sony! The person doesn’t even have to have ‘jailbroken’ their PS3!

Sony’s response is to sue fail0verflow and GeoHot – yet the key is everywhere. This key has signed every PSN software so far. So Sony can’t even revoke the key in an update without breaking all the legitimate software so far. Worse still, the total breaking of the security means that with digging, people have discovered Blu-Ray and PSP master keys too!

Too late to sue, Sony. The secret is out. The number 4.

Peace, out!


(Note – Apparently the number in itself wasn’t 4, this was an example however given by the failoverflow team, hence originally quoting here. The point illustrated is the same – they used the same ‘random’ number in multiple places, a grave mistake)

The War for the Internet


You must be living under a rock if you haven’t heard about ‘Cablegate’ – the continuing saga of USA, WikiLeaks, Julian Assange, Anonymous, TheJester, the list goes on. A quick summary of the situation follows, and some analysis and knock-on effects as I see them.

WikiLeaks is an anonymous whistle-blower organisation – ‘wiki’ being that anyone can contribute, similarly to Wikipedia. WikiLeaks stopped this ‘free edit’ policy a while back as it was too hard to manage, but set up a system for people to anonymously submit secrets. Now, we aren’t talking about how you’re the one stole your neighbour’s gnome here; we’re talking big things – governments, corporations, groups etc.
A while back, WikiLeaks released a multitude of material on the Iraq war, including video of US chopper pilots and soldiers shooting at a bunch of civilians, journalists and children. Ever since, the US has been on a slow burn – make no mistake, they hate WikiLeaks in the US Government. It’s very clear.
Cablegate has pushed the US to breaking – it is the simultaneous release of hundreds of ‘cables’ i.e. little notes or snippets from US ambassadors, representative and more. They are retained by the government and access is restricted but the cables are NOT classified. The contents range from little observances on foreign policitians, to records of orders from Hilary Clinton to collect intelligence, DNA, biometrics and more on foreign UN ambassadors. It also sheds light on the relationship between nations.

The US Government knew about the planned release and had worked hard to mitigate the damage but there will obviously be fallout, and perhaps a loss of trust between nations, spies, ambassadors and so on. And that’s when things get silly…
The Americans are taking things out firmly on Julian Assange and WikiLeaks. I have a number of problems with that. Firstly, they are spouting a line of “This will cost lives” yet have admitted that the information has, thus far, neither been damaging nor has placed anyone at risk. They have also called to name WikiLeaks a ‘terrorist organisation’

WHAT? WikiLeaks a terrorist organisation? Or from Sarah Palin, who called that Assange be designated a terrorist and that US Special Forces move in and assassinate him? What is WRONG with the USA???

I know that every government, to a greater or lesser degree, involves themselves in this kind of stuff. But what they all have to realise is that information flow is greater now than it ever has been. When something occurs, everybody knows in seconds. And I’m sorry, but governments need to rethink themselves – this stuff WILL out, and in this age everybody WILL hear about it. So it’s time to STOP. If you don’t want to be damaged by a leak, stop doing crazy, morally ambiguous, evil, terrorising stuff.
“Oh, but the UK does it too, they all do” – Yeah, I bet. And it’s in YOUR name. Is ignorance bliss? You don’t care as long as nobody finds out? Bullshit. I don’t want this stuff done in my name.

Moving on to Assange. I don’t know the ins and outs of his accused crime, but all the coverage I’ve seen suggests that the allegations have some serious flaws, mostly in the two particular girls. They seem to have decided it was non-consensual AFTER they found out he was two-timing them. So, he’s a dick, but hardly rape. However, Sweden has odd sex laws such as “I was drunk therefore it was rape” kinds of allegations. I personally think these are damaging on the whole to the victims of rape.
I hope that the US did not put pressure on Sweden to continue to pursue allegations that had TWICE been rejected at appellate courts, but I’m willing to bet they did. At the same time, PayPal, Visa, MasterCard, SwissBank, Amazon, EveryDNS… they have all cut their ties with WikiLeaks for various reasons. This has severely hurt the funds of WikiLeaks. The only one to actively admit that it was pressed by the US was PayPal, who said that the “State dept. informed us that they were involved in illegal activities”.

So yeah, forget courts, burden of proof, justice. PayPal doesn’t care. I’m willing to bet the story is similar to the rest. What exactly has America got to hide?

Enter TheJester and Anonymous. TheJester is some absolute juvenile cunt who, prior to this, was presumably in the US army serving in the Middle East. He calls himself a “hacktivist fighting for good” when really he is a patriot. And you know, I use that word now without even thinking of the presumed “I love my country” bullshit. When I hear patriot I think of a stupid, blind, puppet of an American. The ones that blindly follow the whim of the government or their leaders for some delusion of national pride. TheJester also seems to be some sort of programmer, though I suspect his programming experience is average. He seems to have ‘adapted’ (plagiarised) a program called SlowLORIS to make XerXes, a DDOS (Distributed Denial Of Service) program that routes using Tor, the onion network, for anonymity. He has used his software in the past in order to DDOS ‘jihadist’ websites. A noble cause maybe.
Now he has turned on WikiLeaks. Yet, his failings became evident very quickly; mere hours after egotistically declaring “TANGO DOWN” on his twitter the WikiLeaks site was back. And this guy has himself an enemy.

Anonymous have waded in, in the name of Internet openness and freedom. And they have launched Operation:Payback, and it has been working fantastically! They have their target list of all those who betrayed WikiLeaks, and have been attacking as a group; today, MasterCard has been down.
Anonymous are a force and one you do not want against you – they have no head, only teeth. They are generally morally guided to causes, and while sometimes dicky, I think they are an important bunch. Those who do not care that their methods are illegal, they are vigilantes and rioters. But sometimes you need such people to effect great change.

So, in what could be the first Internet War, who are the players?
WikiLeaks and their ally Anonymous fight for a free internet and world.
USA government (and others), their foot-soldiers (TheJester) and their subservient corporations fight for their own ends.

This won’t be a war that you know when it ends. But it could fundamentally change the internet, and it some ways it already has shown me one thing. Companies control too much of the Internet for my liking. Amazon, Ebay, Google, Microsoft, Facebook, PayPal… the list goes on. And as long as these entities have no moral centre of their own and will do whatever the US tell them to, the Internet is at risk. They want WikiLeaks shut down because its not under their control, and that scares them. Bastards, that’s all I can say. USA always has the approach of policing the world, and always to its own ends. The line stops here; the Internet is NOT yours to police and there are those who will fight to keep it from you.

In summary; go WikiLeaks, go Anonymous, go fuck yourself USA. Hypocritical, paranoid monsters with some severe entitlement issues.

I know which side I’m on, have you chosen yours yet? The time may soon come where your voice needs heard, not just in disapproving comments in the pub, work, online comments, but instead on the streets – it is the only thing they will listen to.
It is time that governments started doing what their masters tell them; that’s you and me.

UPDATE: Anonymous has now taken down Visa