I had considered this as a portal news post but for now I am going to call it a regular post. If another member of staff or someone else wishes to do something to make it news feel free.
PSN- the state of things by GBAtemp.
Although it is now a very widespread news story details are still very few and far between. We are going to attempt to do a rundown of what happened, what was said to have happened, some of the concepts involved both legal and technical and try to get a handle on some of the players involved in various things.
In the summer of last year noted hacker Geohot started messing with the PS3 and got some interesting things done and pulled a fair bit apart with a hardware level attack. This was not the first PS3 hack but it was a fairly big one and a lot of nice technical information was generated but it did not progress very far.
Around the same time Sony removed the otherOS functionality from the system. Reasons and logic for it will probably be debated for years to come. It will however be said that those blindly stating “this person caused it” will not be looked upon as a fountain of knowledge. Equally a series of lawsuits (some of which were class action) were filed against Sony for this course of action- most have since been dismissed however.
Apparently as this was going on another group of hackers now known as fail0verflow but previously known for a lot of iphone and console work among other things were trying their hand at some PS3 stuff but that is getting ahead of things.
Shortly after this the so called PS3jailbreak happened and debate as to the history/origin of this and people behind it is still ongoing. It allowed people to play copied PS3 games for the first time and Sony jumped on it fairly quickly- there were a few downgrade attacks and they got a few things done but it became less and less useful as new games and firmwares appeared.
In late December 2010 there was a conference from fail0verflow on the matter of the PS3 covering all that had happened and their own work. You can see this conference here and it provides a very nice backing for most of this <a href="http://www.youtube.com/watch?v=5E0DkoQjCmI" target="_blank">http://www.youtube.com/watch?v=5E0DkoQjCmI</a>
This directly led to the PS3 private keys being generated (if you have seen the video it covers it but the quick version is encryption is based on maths and like maths there are little shortcuts which you often want to avoid- Sony failed to avoid them and thus their private keys were released). This is largely unmatched in the history of console hacking (a few calculators had them brute forced recently but this was many years after their heyday vs the PS3 which is still very active).
This opened the floodgates and Geohot also returned to the PS3 providing a few basic tools, some keys (which fail0verflow had neglected to retrieve and/or share ostensibly as it was not directly related to their work) and interesting hacks in fairly short order. Depending on the person you are speaking to though he did not do much beyond this in the actual getting games to run world with that being handled by many others (indeed it could be said Geohot took measures, albeit basic ones, to try and slow progress in some of those arenas).
Sony did their best to step on this but as everything has been compromised there is little they can do. They locked it down at firmware (and higher) level and despite it theoretically not accounting for much (some of the keys are burned into the hardware and we have their private counterparts) it largely seems to have held with <a href="http://gbatemp.net/t289743-mathieu-explains-3-60-exploit" target="_blank">http://gbatemp.net/t289743-mathieu-explains-3-60-exploit</a> being about as far as things have progressed on that front (Sony also apparently introduced a few more measures of protection in the new firmwares)- reasoning for this (many would call there being more than enough hacked/hackable machines to be getting on with to warrant the extra effort) is left for others to debate.
As per most private/custom online networks you need to be at the latest software to use the networks which gets us closer to the present events. For a while a simple DNS/routing hack tricked the PS3 on an older firmware into thinking it had the latest version (in a possible sign of things to come it seemed that the PS3 itself was allowed to check and validate things- traditionally unless it is really not viable you do checks remotely and certainly do not ultimately leave it to a static text file). There were a further few routing and firmware level hacks afterwards that were not quite as widespread (some of them are covered in the IRC logs linked further down) but they did not hold for long.
More recently it was noticed that the network run in parallel to PSN for developers, reviewers and those that justifiably need access to such a network could be accessed via a tweaked PS3 firmware (easy enough to do when you have the keys) and that it was not locked down very well. Some then speculated that those using this new workaround could obtain new games for nothing and that was a reason for PSN being shut down and although it might have been a factor but at present we are not sure of that. <a href="http://gbatemp.net/t290220-rampant-piracy-may-be-to-blame-for-psn-downtime" target="_blank">http://gbatemp.net/t290220-rampant-piracy-...or-psn-downtime</a> has some on that. There are other possible implications for this workaround but we will be returning to them shortly.
Stepping back for moment Sony did not just leave it at the update the firmware level and launched a barrage of sometimes very questionable legal attacks on various people most prominently Geohot and graf_chokolo although others including fail0verflow were hit with various legal attacks (although jurisdiction and other things seemed to have prevented that case from heading far). The case against Geohot was recently settled out of court with serious restrictions placed on Geohot regarding what he can do in the future with Sony equipment (a leaked PDF document of the settlement should be doing the rounds- <a href="http://gbatemp.net/t288233-settlement-in-george-hotz-case?view=findpost&p=3584298" target="_blank">http://gbatemp.net/t288233-settlement-in-g...t&p=3584298</a> and <a href="http://www.theregister.co.uk/2011/04/19/geohot_donation_to_eff/" target="_blank">http://www.theregister.co.uk/2011/04/19/ge...onation_to_eff/</a> ) although others appear to still be ongoing.
During the case against Geohot the group (although the word group is taken to be fairly loose) that goes by the name Anonymous apparently took umbrage at Sony's treatment of people involved in the cases and took various actions against Sony. Anonymous' representatives/“leadership” (again the group has in many ways done away with what one might consider to be a traditional power structure) however deny any directly sanctioned actions in this latest bout <a href="http://www.1up.com/news/anonymous-denies-responsibility-psn-outage" target="_blank">http://www.1up.com/news/anonymous-denies-r...lity-psn-outage</a>.
Fastforward back to the present day the PSN network has been attacked (and since voluntarily shut off by Sony- <a href="http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/" target="_blank">http://blog.us.playstation.com/2011/04/26/...k-and-qriocity/</a> ) and much of what happened above could even turn out to be somewhat unrelated to the brief history we just described. Before dismissing it though your attention is drawn to the previous lax security on the part of Sony (beyond the would be “unbreakable” main PS3 security) and if further information is desired <a href="http://dpaste.com/536140/plain/" target="_blank">http://dpaste.com/536140/plain/</a> has some (thanks Rydian for that link) and consider that alongside this various private keys for the PSP were also found in the PS3 (every PS3- they are called private keys for a reason).
Sony claims the outage is due to a breach of security in which credit card information may have been retrieved by those that breached the service. We do not know at present if the breach was related to any of this (it being a more conventional attack against a web server- <a href="http://www.youtube.com/watch?v=YDW7kobM6Ik" target="_blank">http://www.youtube.com/watch?v=YDW7kobM6Ik</a> <a href="http://search.theregister.co.uk/?author=Jeff%20Williams" target="_blank">http://search.theregister.co.uk/?author=Jeff%20Williams</a> ), simply spurred one/honed by the information/tools available through the general PS3 hacking work or as a direct result of the open door provided by the hacked “developer” PS3s.
A note on the matter is that it took several days for Sony to come forward with the hack- it is unpleasant but it could be justifiable if a full audit needed to be performed (and for a global service the turnaroud was pretty good).
In addition to this (and in a fairly quick turnaround) several governments both national and international have called for/launched probes into the affair <a href="http://gbatemp.net/index.php?showtopic=290474&st=0&start=0" target="_blank">http://gbatemp.net/index.php?showtopic=290...t=0&start=0</a> and class action lawsuits have been filed against Sony for their part in the matter as well.
On the matter of the EULA/terms of service some have noted a clause* that might provide Sony an out- this is potentially problematic for Sony for several reasons including
TOS is not necessarily legally binding- there are whole law offices devoted to contract law and attempting to get various clauses considered unlawful. EULA and terms of services providing a fair amount of the work such people do or indeed being their sole area (contract law is wide reaching and prone to being highly specialised).
Sony does have a duty of care when it comes to data and their database access- if they can be shown to be negligent in securing it then Sony can be charged. A thing worth noting at this point is that it has been claimed Sony did not follow best practices in the transmission of credit card details (simple SSL encryption rather than the multiple layers usually warranted/required)- this is however a different matter to this present breach which concerns the servers and their databases of numbers rather than say a man in the middle attack against PSN users.
It could also be that the “relevant” section does not apply here even if it is ultimately legally acceptable- it could be interpreted that Sony is not liable for a malicious device on your network (certain solutions may claim a measure of protection against such things- some companies that deal in VPN attempt to offer such assurances) and that as the breach did not happen “when using Sony Online Network”.
*“[Sony is] not liable for any loss of data or any “unauthorized access,” to said data when using Sony Online Network.” .
Make of this what you will- I was seeing a lot of debate that clearly lacked a proper grounding in the matters. If this can help a few people in such matters great.
@
Psionic Roshambo:
@
K3Nv2:
@
BigOnYa:
@
BakerMan:
