But...
... will they now try to prosecute the people who are discussing the Tweet...?!
An official Sony Twitter account has leaked the PlayStation 3 master signing key at the heart of the company's legal offensive against a group of hackers being sued for showing how to jailbreak the popular game console. Kevin Butler, a fictional PS3 vice president, retweeted the metldr key in what can only be assumed was a …
> An official Sony Twitter account has leaked the PlayStation 3 master signing key
I wouldn't call this a "leak". He didn't go into their secret source code, find the secret key, and post it to Twitter.
Someone posted a tweet directed at him with a random-looking string of hex and a cryptic comment. He obviously didn't know what it was, but thought the hex numbers looked a bit like the co-ordinates you use on a Battleships board. So he replied with a slightly lighthearted reply. And the Twitter program also copied the original message in his tweet.
Obviously, as soon as it was pointed out what the number was, he removed the tweet.
I don't think he actually did anything wrong. There was no way for him to know what the number was. It's not like people memorize the number. And as a Sony employee, he shouldn't have access to Sony's copy of the key, and his employer would probably prefer him not to read sites about hacking Sony's copy protection.
one, it was not @exiva to the original sender, but was a public tweet.
two, it was not just a reply to @exiva but a RT of the orignial tweet containing the secret key.
three. it was the real secret key NOT a "random string of hex" if he'd changed it then no problem.
What he should have tweeted was:
"@exiva you just sank my Battleship >:'o("
But no the marketing twonk thought thats such a good joke I'll publish it so the world can see it.... And in doing so broke the first rule of secrets club, dont publish your secret.
The fact that the marketing twonk did not know the key is technically not relevant, the key should be so obscure that there is a billion to one chance of him publishing it in a series of random numbers. so it's not possible(incredibly unlikely) to just publish it without knowing or being prompted. The point here is that he was prompted to publish it and did so.
A marketing person needs to be fully aware of every character they publish, THIS is the FAIL. he published something he did not understand, and the consequence is dire.
IF someone had posted "sony to give away ps3s for free" to him in English or Japanese, would he have reposted it? verbatim?
In all honesty, shouldn't we be more truthful than this? From what I understand reading other reports of this stupidity, someone sent the old private SELF signing key to the fake (clearly) Kevin Butler twitter account that is managed by a marketing person who works not for Sony, but for the marketing firm that Sony uses to handle the Kevin Butler campaign. The person behind the twitter account isn't a Sony employee, nor are they technical, nor should the be technical, or expected to be approving every retweet with some Sony legal team. Kevin Butler is a fictional person, so anything said it neither official, nor can it be attributed as authoritative. Not only that, but the point behind the twitter and other social networking elements of the Kevin Butler personality is to interact with gamers in a humorous manner to generate positive buzz. Therefore when someone tweets that account, they normally will get some kind of joking reply - like "You sank my battle ship!".
Of course sending the hex key yo that twitter and seeing it retweeted must have felt really good for the guy that did it, but it's hardly Sony leaking or giving away the signing key - is it? This is what really bugs me about The Register and tech media in general. Never let the truth get in the way of a hit generating headline. I used to think that the Register was better than that. Not any more.
Let's see, "Hacker Exploits Marketing Lack of Knowledge, Spreads Old PS3 Key" just doesn't have quite the same ring to it as "Sony tweets 'secret' key at heart of PS3 jailbreak case" does it? Perhaps one is more accurate than the other, but one is more likely to generate hits than the other. Guess which is which.
Law is law, and is often very differnent to what you percieve as common sense.
Legally an agent, paid by sony, published on behalf of sony, a secret key, that Sony are in the process of trying to withold/redact whatever.
There is no deception in this story. There is however a plonker, who is willing to repost anything for a cheap laugh, even if he doesn't understand the consequences of his actions.
At the moment the Japanese are going a bit crazy on copyright what with passing new laws that makes lending games illegal, and nintendo is trying to sue people that sell their saved games to other players.
http://www.zakzak.co.jp/society/domestic/news/20110208/dms1102081601011-n1.htm
Note game rentals are already illegal in Japan (unless you pay the correct Yakuza boss the correct sums of course.)
The title was a little misleading, I thought Sony leaked the unknown key.
Anyway this certainly undermines their legal case, should they now sue themselves for discussing (disclosing) the key? - no of course not they're the ones attempting to enforce copyright on their own property.
IMO DMCA is one of the most restricting laws that holds down the open development. In fact Sony should be letting these hackers get on with it, so they can fix flaws. No exploit employees involved , free labour. The DMCA just enforces security via obscurity.
Sony have put themselves into this situation.
their knee-jerk reaction to remove the OtherOS feature has actually pushed people who used that legitimate feature to now look at the jailbreak/rooted world to get that feature back... they then
enter the world where pirated games are a download away..and its all too easy for them to join the dark side.... when they used to live a world away from it, happily booting between linux and GameOS.
>>remove the OtherOS feature has
Because people were doing things they didn't want to happen.. i.e. unlocking the RSX in OtherOS. There is a reason it's locked out.. Sony makes money from licensing games. If they allowed OtherOS full access to the hardware there would be no reason for publishers to get their games officially licensed by Sony. You may not agree with Sony's business model but there is a clear reason why they removed OtherOS.
>>actually pushed people who used that legitimate feature
People keep making out that lots of people used OtherOS... without any numbers at all.
I would guess if OtherOS was running on a significant portion of the 44 million PS3's out there, then there would have been more of a fuss. One guy in the US tried to sue Sony for removing it and got nowhere right?
>>to now look at the jailbreak/rooted world to get that feature back...
I'm just guessing here.. but I reckon the people using these recent developments for warez opposed to homebrew is something like 1000 to 1?
>>world where pirated games are a download away..
The only reason this has all happened was the PSJailbreak.. which is for warez.
>>when they used to live a world away from it,
So homebrew is a "gateway drug?" even more reason for Sony not to allow homebrew right.
>>happily booting between linux and GameOS.
Yes, all those millions of PPC linux users that don't seem to appear anywhere.. The Wii is PPC too.. have we seen any massive jump in PPC linux users? Nope. From the Debian popcon stats we can see that Debian PPC hasn't grown in like 3 or 4 years.... You know if you want to run a commodity OS you can just buy X86 hardware right?
There are quite a bit of PPC users, and PS3 isn't just PPC but it also has the CellBE processor, the only one with such a thing. Thanks to IBM's axing of the Cell Blades, the only way to get 'em now is by buying a PS3!
OtherOS users would never ever need to crack the ps3 for pirated games; those in the industry actually think that Sony's move was stuipd because the pirates themselves had considered the PS3 too hard to crack, and thanks to OtherOS the hackers didn't care about hacking the thing.
In fact, the hackers stopped short of enabling piracy precisely because they weren't interested in that. It was the pirate community the one that went and used the opened doors to enable the "copy game to HDD, run from HDD" thingy. But they would still be unable to do so if the hackers hadn't cracked the thing, and the crack wouldn't have happened if OtherOS hadn't been disabled in the first place!
It may be a small % of PS3 users, but it is the kind of people that actually have the knowledge to crack the thing. Bad move!
Yes, I agree 100% with your comments. I am a linux head, I did not own a ps3. Now they are unlocked I have purchased one, with intent to make it my lounge room computer/media center. I have recently installed debian linux on it, and, well, it needs some work yet, but I'll enjoy helping improve it to the point where I can boot the ps3 normally for official bluray disks, or boot linux and use it for everything I currently use my dated laptop for.
I bet, infact know, lots of people are buying ps3s now they can do a lot more with them. Being cracked will sell more units of ps3, push the numbers sony use to woo developers, and pirates will pirate and consumers will still legitimately consume. Game publishers will make just as much money from the ps3 now, as they do from the xbox 360.
A PS3 would make a rather good HTPC, they're quiet and powerful and they come with a wireless controller - you could put some games on there too (mmmm, ScummVM on the big screen!) and using it for crunching Hard Numbers if that's your thing too. I'd definitely like to have a PS3 as part of my video processing and image stacking system. Lots of grunt in those Cell cores for that kind of thing.
The problem, from Sony's point of view, is the PS3 unit itself if a loss leader. They lose money on every console they sell - they make it back when you buy games, download stuff from PSN and so on. But if all you do is install linux, then Sony are just subsidising your HTPC, and they don't want to do that.
There were quite a few people using them - standalone or clustered - for Science, at least until it got cheaper/easier to use a stack of GPUs and OpenCL for most things. Sony, as a business first and foremost, didn't want to be paying for research that they didn't benefit from. I understand their point of view, but they handled it badly - they should have known that removing OtherOS would have triggered this kind of arms race, one they will always lose. How to handle it any other way is the difficult question - although it's possible that the negative publicity they're seeing now is costing more than a handful of PS3s!
"How to handle it any other way is the difficult question"
The root cause of the problem was that Sony were selling a very useful bit of kit for a loss, in the hopes of getting more people addicted to their overpriced games.
The other way of handling it would be to simply not sell the hardware at a loss. Instead, make money on every unit you sell and it wouldn't matter what use the customers were making of the hardware.
Even better, since you are no longer subsidising the hardware, the software doesn't have to be quite so overpriced which would give Sony a bit more leeway to undercut their rivals.
If Sony are unable to make the hardware at a price customers would buy at, then maybe thats a sign that it just wasn't a good design to start with for it's stated objective of playing a computer game.
>>There are quite a bit of PPC users, and PS3 isn't just PPC but it also has the
>> CellBE processor, the only one with such a thing. Thanks to IBM's axing of
>>the Cell Blades, the only way to get 'em now is by buying a PS3!
Ok, so IBM don't want to sell you a Cell anymore and neither do Sony.. you think it might be time to consider a new architecture?
>> the pirates themselves had considered the PS3 too hard to crack,
PSJailbreak came first. Don't try to re-write history the other way around.
The keys would have never been leaked had the PSJailbreak not appeared.
>>and thanks to OtherOS the hackers didn't care about hacking the thing.
So what the hell was GeoHot doing? Trying to unlock everything to OtherOS.
>> used the opened doors to enable the "copy game to HDD, run from HDD" thingy.
Again, you have it the wrong way around. Without the USB exploit from the PSJailbreak this would have never happened.
>> but it is the kind of people that actually have the knowledge
>>to crack the thing. Bad move!
Except that the PSJailbreak beat them to it?
I did not know I am transparent and inexistent. I have in fact two PPC desktops.
My main personal laptop nowdays is a MacBook Pro Titanium which my other half obtained via skipdiving before leaving her last job. The dolts in their IT did not know how to fix a run of bad sectors under Mac OSX. Despite it being 8 years old for most laptop tasks it performs _ON_ _PAR_ with the company hp nc94xx crap I am obliged to have from my work. Under Linux (debian to be more exact).
Similarly, till recently the shared desktop in my house was a Mac Mini G4 similarly running Debian. Similarly written off by dolts in IT somewhere and obtained via skipdiving. The only reason I went back to Intel for that is that the Mini does not hibernate.
I also know quite a few other users which use PPC for Internet exposed home/SME servers. It is quite a bit of fun watching k1dd10tz trying to apply their scr1pt k1dd13z 31337 sk1llz to a non-Intel big endian machine.
Yours, sincerely, a PPC linux user.
I guess George Hotz, aka geohot, potentially has a 'complete defence' to the allegations levelled at him by Sony.
The whole matter proves that Sony still hasn't figured out security following that 100% foul up with the root technique. See: < https://secure.wikimedia.org/wikipedia/en/wiki/Sony_BMG_copy_protection_rootkit_scandal >.
I have not (and don't intend to) read the text of the DMCA; however, I'd bet big that the proscription of circumventing encryption refers to the person/entity who does the circumventing. I'd be rather surprised to discover that the DMCA's language extends to anyone who just happens to read or watch something said person/entity has chosen to publish on the subject.
Or does it...?
The DMCA is a travesty anyway, a weapon an industry can use to harass and intimidate not only individuals, but competitors and innovators as well (cases in point: aftermarket toner cartridges for printers and garage-door openers), in ways nothing like the stated intent of the law, not to mention anyone who dares publish legitimate criticism of the quality or security of some product (lots of cases of embarrassing security flaws about which the researchers who found them never published their findings because they were threatened with DMCA action).
This is just another example of how it can be stretched (if this action goes Sony's way) to ridiculous lengths.
I agree with a previous poster; I intend to avoid Sony products anywhere I can.
"Kevin Butler, a fictional PS3 vice president..."
"A email sent to Butler [...wasn't...] returned"
Well if he's fictional, his email address probably is too, so...
But seriously, does that mean that he's a genuine employee, whom Sony have fictionalised as a vice-president (presumably for some idiotic marketing-related reason)?
I ask because I'm as confused as Goat Jam (upthread) appears to be.
...and Kevin Butler is indeed a real person, and not a character created for Sony by Deutsch ....
.... and of course Kaz Hirai himslef actually vets every Tweet sent, received, retweeted by Kevin Butler, who, again, is absolutely real in all senses of the word, and the Twitter account has never ever been managed by Deutsch.
And Other Os removal - wasn't that because George 'Please turn your camera towards me' Hotz, openly crowed that he had cracked the PS3 BEFORE Other OS was removed on the original design PS3s. And for those people that cite the iPhone Jailbreak as a precedent - the main motiviation behind that was to open the phone up to other carriers as all other phones were capable of being unlocked, and thus was seen as a consumer choice issue.
He only released the metldr key, because FailOverflow got there first and therefore they were stealing thunder that GeoHot thought was rightfully his, thus possibly restricting his 15 mins of fame and getting his face on FOX news.
The fact is, that the hacker community relies on the idea that Sony, Nintendo, and MS Xbox division WON'T do anything to stop them because of 'teh internetz' - I believe you should have the ability to do whatever you want to your stuff, as long as the ramifications of those actions are only restricted to you, but the signal-to-noise ration of online glitchers/modders and cheaters to homebrew enthusiasts must be about 10000 to 1.
Surely it must gall the true homebrew community to know that their community is being used as an excuse and smokescreen for hackers. What Sony should do is a) re-enable OtherOS through a small patch that can be downloaded if you want it, like an app on the Playstation Store, and b) release a hobbyist SDK like XNA.
But for everyone shouting out about the loss of OtherOS, people like the US Navy that were using PS3s for clusters didn't sue Sony, why not? Because to them the Sony firmware is just a glorified Grub bootloader.
Apologists..... cheeky modder fokkers.
Actually the CD CRM crapolla wasn't Sony at all. No offense to anyone who wishes to believe that Sony is the great Satan, but you are very wrong. Sony is a large multi-national corporation that owns many different companies, and is split across many different products and markets. Music CD production is/was owned, operated by Song BMG. BMG is a separate company within Sony, and operates that way. The CD DRM technology deployed was developed by a company BMG hired to protect their music CDs against copying. As it happens, few people inside BMG had even a partial understanding of how the technology worked. The point though is that It wasn't Sony. BMG is owned by Sony, but a wholly owned subsidiary company runs itself as part of the Sony group and has no relationship with SCE - Sony Computer Entertainment, which is the parent for SCEI, SCEJ, SCEE and SCEA.
Now, Sony being a good corporate decided to take it on the chin and took responsibility for what had happened, but, the truth of the matter is that someone in BMG wanted to stop their CDs from being copied and bought some DRM technology that was implemented by a third party. But you know, it's much easier just to say that Sony did it.
What bothers me is the way people who *should* know better, swallow all the half truths and myths as fact around here.
Symetric - you encrypt with the same key as you decrypt with (e.g. DES)
Asymetric - you encryrypt with one key and decrypt with a different one (e.g. RSA)
As I understand, Sony use Asymetric keys, so you hard-code the public key (everybody knows it) into the box and keep the secret key a.... um.... secret, unless the content was encrypted with the secret key (or just signed using a hash of the code) you can't decrypt it (therefore can't run it), symetric keys have been read from hardware before (using electron microscope), you have to be very careful removing the packaging of the chip (some of which are designed to destroy the content if dismantled) - using an asymetric key means that one key can be let out in the wild as long as the other remains a secret (and it's not anymore).
It's the same way that https/SSL certificates work.
Here is a company that doesn't want users running Linux on a Playstation, which they marketed as a computer system for tax purposes, but are wanting to market a Playstation branded phone running android, derived from Linux. Do they not see that as strange?
"D: It was on a chip in the console they sold to me..
Is there really that much difference?"
Yes - you misunderstand the difference between Public and Private keys. The Private key is used to sign the software as legitamate, an is known only to Sony HQ and is not distributed on the PS3.
So please explain how the 'hack' extracts it from the ps3 then...Have you seen the youtube vid before it was pulled? and explain why GeoHotz is in trouble for reverse engineering a ps3, not hacking into sony's computer networks.
Erm last time i checked Public/Private key only works if BOTH the sender and recipients Private keys are secure.. the ps3 private key is now not secure.
The public key can be public, and security is assured so long as the private key is truly private.
I don't know about the hack but I imagine that sony haven't been careful enough (a software mistake by the looks of it) in keeping the private key private.
The private and public keys are related, its just that to work out one from the other is terribly hard. But if the method to do so were common public knowledge then one could claim that knowlege of one 'automatically' bestows knowledge of the other. If that method was quick then the crypto scheme is broken and crap and could not reasonably claimed to be a copyright device. But how good does the crypto scheme have to be before it can be claimed to be a copyright device? I bet the dcma doesn't say and even if it did that would not be able to sensibly take into account technical advances. As usual lawyers and judges will be making arbitary decisions about technical 'evidence' with few qualifications to do so.
Fail0verflow were able to reverse engineer the old private signing key because of an egregious coding error that allowed them to determine sufficient information to use some very complex mathematics to reverse engineer the key. Hots simply reposted the key along with other information and software. Not sure of his motives, he always claimed not to support piracy, but there's really only one use for the information he posted. I guess he didn;t like the Fail0verflow guys succeeding where he failed.
Either way, the private key is never distributed with the hardware or software. The new private key - which is likely to remain secure for a long while, similarly does not exist in the software or hardware. Sony fixed the software flaw exploited by Fail0verflow, and so the new private signing key is probably secure until enough brute force computing is available to crack it that way.
What Sony are doing, basically, is preventing other people besides them from releasing games which can be played on the PS3; which surely meets anyone's definition of anti-competitive behaviour.
The only way Sony have a legal leg to stand on, is if it's possible for third parties to make PS3 games without the key. (And the method for doing this would have to be disclosed in court.) Otherwise, it is necessary for a PS3 owner to know the key in order to make full use of their own property (i.e., by creating their own games for it; it is true, not everybody will want to exercise that right, but it *is* their right) and therefore the key is *not* Sony's secret.
The fact that knowing the key makes it possible to play illegally-copied games is neither here nor there. All Sony have to do, if they are bothered about this, is sell legal copies of games cheaper than the "pirates" can make their own copies for. They have economies of scale on their side, after all. And if this doesn't fit in with their business model, well, I believe the phrase you're looking for rhymes with "rough pit" -- they can either adapt to the changing environment, or go the way of 95% of all species that ever lived on Earth.
>>What Sony are doing, basically, is preventing other people besides them from releasing games which can be played on the PS3; which surely meets anyone's definition of anti-competitive behaviour.
Well, if there was only one games console in existence and sony held a key part of the process preventing the creation of other consoles then you might have a point, but there are many other consoles/PCs and it's been built and sold by Sony as a closed platform, for a simpler analogy think printers, printer manufacturers will put things in the way of using "compatibles" or refills such as page counting chips, these don't prevent other printers being made just the consumables for their printer. If Sony had most of the market and their activities restricted other products (think Windows/InternetExplorer vs Windows/NetscapeNavigator - as an open platform this put Netscape at a disadvantage).
>>The fact that knowing the key makes it possible to play illegally-copied games is neither here nor there. All Sony have to do, if they are bothered about this, is sell legal copies of games cheaper than the "pirates" can make their own copies for.
Eh? seriously, Eh? how much does a blank DVD cost?
>>They have economies of scale on their side, after all. And if this doesn't fit in with their business model, well, I believe the phrase you're looking for rhymes with "rough pit" -- they can either adapt to the changing environment, or go the way of 95% of all species that ever lived on Earth.
OK, either I've missed something or this is a really stupid thing to say, lets compare the two business models;
1. Sony
Large investment in marketing, research, development, testing, production, distribution and advertising; thousands of people employed, needing high volume sales to maintain a large company.
2. Pirate
Blank disks, stack of burners, internet connection, car boot sale, probably claim benefits while spending the day burning pirate copies playing WOW only pausing to put the disks in the cases, punt the disks for £7 at a car boot, probably £6.50 untaxed profit
Now, #2 requires #1 otherwise there's no source material to pirate, so let's imagine that Sony could reduce the price to £5, or maybe shift to charging on use via some internet scheme, what would the pirate do? charge £3? maybe you can get copies that cheap anyway, how can Sony possibly compete with the pirate, when the pirate has almost no overheads? (such as paying for the product to be created in the first place).
They may have economies of scale on their side, but they have a ton of things going AGAINST them. R&D, development costs, hiring talent, marketing, pressing costs, etc. all add up to exorbitant development budgets. Little wonder a number of notable developers have collapsed/moved elsewhere/been bought out this generation.
It's like the drug market. Trying to find the next miracle drug is the hardest and most expensive part (not to mention the thing that takes up most of your precious patent-exclusivity time). Making the darn things (once you know the formula) is the simplest (this is why drugs are patentable--otherwise, there'd never be an RoI on them, and no incentive to make new drugs; the nature of those things being treatments rather than cures is another discussion altogether).
I think that Sony is playing with fire if they are trying to subpoena lists of people who watched a particular you-tube video. Over here, video rental history (I realize slightly different from youtube since there's no actual rental there) is protected under the video privacy prevention act.
Apparently a supreme court nominee had his history dug up by people trying to block him, and though it turned out he hadn't watched any smut, the congress-critters watching the proceedings started thinking about what would happen if the same thing were done to them by opponents and quickly passed one of our toughest privacy acts. I believe that under current law, video rental records are more protected than library history.
I can't help but feel that somewhere in all of this, in the fact that the freedom to watch Debbie Does Dallas is better protected than the freedom to read Das Kapital, an essential aspect of the American character is revealed.
Lawyers know that discovery requests have to be as broad as possible, because there are no second chances to get more information once discovery ens, therefore Sony's lawyers have requested everything they can think of. Sony isn't directing them to harass anyone, this is all standard operating procedure in a civil case in the US legal system. If you want to blame someone, blame the legal system since it effectively encourages overly broad discovery requests in the first place.
The twitpic link contains 20 hex pairs. In other words that's 20 bytes or 160 bits. That's nowhere near long enough to be a signing key. Asymmetric RSA/DSA keys used for signing certificates and the like are 1024 bits minimum. 160 bits is more likely to be the SHA1 hash of the key.