Tag: security

Sony – Suing GeoHot won’t put Pandora back in the box

2 Comments

So the JIG is up, and thanks to fail0verflow and GeoHot, the PS3 is well and truly hacked. And it seems likely that more than one person has been fired from Sony; their security model is so comprehensively broken in it’s design that there is very likely no comeback without changing the hardware, and that will not do anything either as now the private keys have been released.

In cryptography, there are a set of keys used for encryption. Simply, signing and encryption involves two keys. These keys are twinned; each half can encrypt, and only the other half can decrypt. Yet the keys are distinct – someone can know one of the keys and still be helpless.
In PGP signing, and in console cryptography, one key is the public key, and the other is a private key. The public key is built into the console, and the private key is in a safe at Sony. Sony sign every executable with their key, and the PS3 verifies that it is valid by using the public key, which as the name suggests, is often known.
Mathematically, if this is properly implemented, it is almost unbreakable. Unfortunately, Sony messed up. See, the equation would easily be broken if many files were signed identically, as the differences could be eliminated and the key calculated. So, the encryption uses a random number in its equation; the number is changed with each executable to be signed. This simple step is one of the basic and most important parts of the security. Fail. Sony’s idea of a random number?

4. Four. Quatre. 5-1. Whatever number. FOR EVERY EXECUTABLE.

So, with only two sets of files, the random variable in the equation can be eliminated and the keys calculated.

Since this was done on one part of the Sony OS, it’s expanded to all of the parts; the master keys are all over the Internet! And this key means that anyone can sign their PS3 programs, and the PS3 will just think it’s from Sony! The person doesn’t even have to have ‘jailbroken’ their PS3!

Sony’s response is to sue fail0verflow and GeoHot – yet the key is everywhere. This key has signed every PSN software so far. So Sony can’t even revoke the key in an update without breaking all the legitimate software so far. Worse still, the total breaking of the security means that with digging, people have discovered Blu-Ray and PSP master keys too!

Too late to sue, Sony. The secret is out. The number 4.

Peace, out!

 

(Note – Apparently the number in itself wasn’t 4, this was an example however given by the failoverflow team, hence originally quoting here. The point illustrated is the same – they used the same ‘random’ number in multiple places, a grave mistake)

Categories: software security

Tags: , , , , , , ,

Vapourware – Like a Needle in a Haystack

No Comments

Vapourware describes a product, usually software, that has been announced by a developer during or before its development, if there is significant doubt whether the product will actually be released. It is software which at best is still in development, and at worst is no more than an interesting concept in the mind of someone at the organisation. Vapourware is sometimes announced with great fanfare as a spoiling tactic to hurt sales of a competitors already launched product.

Maybe you don’t know, but in many parts of the world the internet is not free. It is not open. Many countries have, or are considering, filtering the internet. The reason for this is always cited as “protecting the public” or even just “child porn” (‘Think of the Children!’ defence). Make no mistake; filtering the internet is a bad thing, and it is coming to a country near you – the USA, Australia and UK are both considering ‘net neutrality’ bills, and the continued tightening of digital rights (think the Digital Economy Act) pushes us one step closer to a constrained internet, an internet which is no longer the last true bastion of free speech.

…but this article isn’t about that. This article is a warning. Vapourware. The definition is above. So, Matt, why did you launch into a tirade against internet law? Well, because the people of the world have been had; specifically the people of Iran. I’m talking about ‘Haystack‘.

Haystack was a fantastic story. The myth – a young, bright, entrepreneurial and morally-guided man, Austin Heap, heard the suffering of the people of Iran, and developed an encrypted proxy network, one which would bypass the filtering imposed upon the innocent Iranian people.
The fact – no software officially released to date; the beta has leaked to many Iranians but is full of basic security holes. Despite much money donated to the project, it fails and in fact risks the security of millions of Iranians, both online but also from state police.

Austin Heap, the creator, was being lauded in the press, with absolutely no software credentials to back this up. He conjured false hope about a solution better than any currently available. He even claims that Haystack is better for privacy than the Tor onion network. He refused outside, open-source development, under the guise of preventing the Iranian authorities from breaking his system. However, when the executable finally found its way into the hands of some reputable software programmers, it was clear that the product was just not what it should have been (link is to Danny O’Brien’s twitter feed. He also wrote an article about Haystack here). Even their main developer resigned.

Austin Heap was quoted as saying:

“I hope we are ready to take on the next country. We will systematically take on each repressive country that censors its people. We have a list. Don’t piss off hackers who will have their way with you. A mischievous kid will show you how the Internet works.”

I think he fell victim to his own hype, and his own motto.

A lesson indeed in the dangers of getting wrapped up in an idea. I doubt that the Dragons from Dragon’s Den would have invested in his idea. An idea is NOT a product, not a result. Ideas are easy; the idea of creating a proxy system for repressed regimes is an easy idea. The reality is all the steps in between, the lives you are risking along the way, the code and its robustness. One error can spell doom, and it seems for Haystack, this might have happened.

So… Diaspora anyone? Yeah, this is still vapourware. Diaspora purports to be a better Facebook – fixing the much-maligned privacy concerns in Facebook, removing the trash, making it clean. You can host your own Diaspora network, with its own look and feel, but all the Diaspora networks can interact and share information in a controlled way. And, yet again, it was hyped to an insane degree, raising hundreds of thousands of dollars in funding, for a mere idea.

Even at the time of announcing I was dubious. Now Facebook is everywhere, it is tightly integrated into so much of the web at the minute. Diaspora might now be a step backwards. Heck, Facebook might even be getting into the phone OS game now. But Diaspora has now released the first elements of its source code. It at least has one advantage over Haystack – it is open-source. Bugs and problems can be fixed by the internet swarm. But, so far, it has more problems than fixes.

Diaspora may still come out clean in the wash. Haystack, doubtful. The point is, don’t pay people for an idea. Or at least, if you are going to pay someone for an idea that won’t happen, pay me. But don’t get your hopes up on software that might never materialise. And, Austin Heap, don’t get up the hopes of an entire country, and don’t release to them insecure software that might end up getting them in severe trouble for using it.

Peace, out!

-Matt

Categories: current affairs featured software security

Tags: , , , , , , , , , , , , ,