•  News
  • 50.25% (Neutral)
  • Member Topic Starter
Sony's attempts to prevent piracy on both the PS3 and PSP have taken a number of blows in recent weeks. Today, the company announced that it intends to sue the PS3 hacker GeoHot, who's been an increasingly large thorn in the company's side over the past 18 months. When Sony released the 3.21 firmware update that broke Other OS functionality, it was GeoHot who first demonstrated his own custom firmware running both 3.21 and Other OS simultaneously. For more information on the repercussions of Sony's decision and its anti-piracy efforts to that date, check our original coverage here.

Let's recap first. Last fall, Sony cut the price of its PSP Go from $249 to $199 in a purported attempt to boost the system's anemic sales. The PSP Go has a number of flaws when compared to the PSP, but the most significant is its inability to play UMD-based games. The PSP Go was designed without a UMD slot to make it harder to hack, but Sony was apparently unable to reconcile its desire to prevent piracy with the need to build a product people actually buy.

The PSP's mod kit in action. Unlike the PS3 modifications, the PSP Go's changes *were* intended to change what games people could play. On the other hand, it's Sony's fault the problem exists in the first place.

That's something of a moot point now. Less than two years after its launch, the PSP Go has been cracked and demonstrated running games previously available only to owners of a standard PSP. Exactly how the company will respond is unclear, but it's safe to assume it'll include a firmware update that once again prevents PSP Go owners from playing a compatible game they can legally purchase.

As for the PS3, the gates have split wide open. The group investigating the PS3, Fail0verflow, discovered a serious flaw in the algorithm used to generate the PS3's cryptographic keys. According to pytey, a member of the group, "The complete console is compromised - there is no recovery from this. This is as bad as it gets - someone is getting into serious trouble at Sony right now."

From Fail0verflow's presentation.

GeoHot, aka George Hotz and Fail0verflow weren't formally working together. After viewing the latter's presentation, however, GeoHot was unable to crack and publish the PS3's master key. Both say they abhor piracy and were only interested in re-enabling Open OS and homebrew software. Hotz first announced he'd cracked the system in January of 2010, an event that prompted Sony to kill Other OS functionality altogether via firmware update.

Step 2:  Alienate your most technically proficient and hacker-friendly customer base:  Penguinistas to arms!

According to pytey, this was the point at which Fail0verflow jumepd into the fray. "It became a valid target," pytey told BBC News. "That was the motivation for us to hack it. ...It was not trivial to do this."

In theory, the PS3 should never have been vulnerable to the attack method that's compromised it. At the most basic level, the system relies upon a master private key that's held by Sony to verify that any given console's firmware is legitimate/protected. Because this verification key is meant to incorporate a truly random number when generated, it should have taken millions of years to derive the master key by observing the public key used to verify the system. It should have worked—but Sony's signature software, which the company wrote itself, used a constant number rather than a random one.

Step 3:  Oops.

The nature of the flaw makes it impossible to fix. Sony will undoubtedly claim to have 'fixed' the situation via firmware updates, but anything it tries will be the equivalent of surface repairs to a home with a broken foundation. Sony's only real option is to correct its algorithm and spin a new version of the PS3 that's designed to verify the correctly generated signature instead of the broken one. This is, at best, an imperfect solution and could cause major software problems. Even if it doesn't, there's no way for Sony to repair the 40 million-plus consoles its already sold. In the space of a few weeks, the company's entire antipiracy strategy has collapsed. Sony's response thus far has been to scurry into federal court to demand all copies of the relevant information be pulled offline; the company has apparently never heard of the "Streisand effect".

Step 4: The flawed public crypto key is what kills the system, but the other labels reflect other PS3 systems that have been independently hacked without using the flawed key.

It was inevitable that Sony would hurl every book it could find at the hackers in question, but it's not clear what the outcome will be. The individuals in question are on record as being strongly against piracy, they've painstakingly documented the flaws in the PS3's security systems, they aren't out for commercial gain, and they were working to restore functionality that existed when they purchased their consoles. When we covered the impact of killing Other OS last May, we concluded: "Even if the courts eventually rule Sony's removal of Other OS functionality doesn't constitute a breach of California law, there's still something to be said for not alienating a group of customers you openly courted just three years ago."

Them's words good enough to end on for a second time.

They didn't lose the war on piracy. They lost the war they were waging on consumers directly.

A war Microsoft lost LONG ago. Remember, when it comes to tech, anything is possible.

Joel H


You're drawing an incorrect conclusion as far as the root crack is concerned. The other hacks may fall fairly into the 'anything is possible' category, but the private key discovery is possible because Sony f*cked up in a massive way. If the private key was still secure my understanding is that the other flaws would be serious but potentially patchable.

  •  3vi1
  • 50.25% (Neutral)
  • Advanced Member

I think Sony has possibly made a major miscalculation here. I wouldn't be surprised to see them lose if the EFF or someone else bankrolls the hackers' defense.

Mistake #1: Pursuing this when Sony themselves initiated it via the removal of OtherOS/Linux. That gave the hackers tools a "reasonable non-infringing use." (i.e. to restore the functionality that was advertised at the sale of the console).

Sony once found themselves on the very opposite side of this argument during the days of Betamax vs. MPAA (and won!)

Mistake #2: Suing people that have repeatedly spoken out against piracy, instead of people actually engaged in piracy. These people don't seem to be directly responsible for any piracy whatsoever.  Smith & Wesson isn't liable for murders with their guns, nor should these guys be liable for misuse of their tools.

Mistake #3: Naming members of fail0verflow in the suit. fail0verflow members are in the EU and therefore not subject to the DMCA.

I can't wait for AsbestOS or some other project to release a signed package. I'll be able to boot my PS3 from a signed image - that doesn't suffer from Sony's artificial hypervisor restrictions on the RSX, and finally update my firmware from 3.20 to a version that allows me to play online again.

We'll just have to see if "justice" is done.


A lawsuit against hacking by the company that brought us one of the most widely propagated secret root-kit viruses that the world has ever seen.

One has to laugh at them,........Ha-Ha!

  •  3vi1
  • 50.25% (Neutral)
  • Advanced Member

True realneil. It's easy to forget the rootkit fiasco Sony perpetrated against Windows owners.

They appear to be working under the impression that anything they do is legal, no matter how blatantly wrong, and that anything a user does to assert control over his own system/media is automatically illegal. Apparently some EULA that practically no one ever read (and which almost certainly contains things not legal in all jurisdictions) trumps common sense and legal rights.

Joel H


"They appear to be working under the impression that anything they do is legal, no matter how blatantly wrong, and that anything a user does to assert control over his own system/media is automatically illegal."

Let's not forget that a conservative reading of the DMCA encourages this interpretation. The efficacy of a copyright protection system is considered irrelevant when calculating whether or not a hacker has broken the law. The mere *presence* of something the company can claim constitutes copy protection is, in theory, all they need--even if they simply did an A = Z alphabet reversal.

I suspect that Sony might be found to have violated some US consumer protection laws but the DMCA does not make allowances for hackers attempting to restore machine capabilities. I think Sony will ultimately prevail in court--not that they'll ever recover what they'll lose in piracy.

  •  3vi1
  • 50.25% (Neutral)
  • Advanced Member

For the most part I agree with you, and think the DMCA is the worst thing Clinton ever signed. I slightly disagree on one point though:

>> the DMCA does not make allowances for hackers attempting to restore machine capabilities.

Section 1201 has seven exemptions. The three that I think are relevant are:

- Reverse engineering in order to develop interoperable programs; [1201(f)]: I believe this could be construed to include homebrew apps.

- Encryption Research; [1201(g)]: Definitely part of what they were doing.

- Security Testing [1201(j)]: Also what they were doing.

Also, don't forget that there are other exemptions in there for legally obtained video games, and iPhone jailbreaking. It's not inconceivable that PS3 jailbreaking could get added as an exemption as a result of this case.

And on top of all this, as I said earlier.  The fail0verflow guys are in Europe.  The DMCA does not apply to them (another reason America should have fewer stupid rules/patents tying the hands of innovation).


Joel H wrote:

I think Sony will ultimately prevail in court--not that they'll ever recover what they'll lose in piracy.

I don't have a shred of sympathy for them. I hope that they take a bath.

This situation being discussed doesn't affect me at all, because I quit buying Sony anything after the root-kit fiasco. I don't usually forgive or forget either. So if those jerks want loyalty, then they're gonna have to go out and buy a Dog.

Joel H


True regarding Europe, though that's a loophole ACTA is supposed to close. I suspect Sony will do its best to make an example of GeoHot.


Why doesnt Sony just hire the guy. It seems he is better than their entire programming staff

2011-01-14T04:14:55Z did Microsoft lose that war that you speak? Oh wait...I are one of those social outcasts who thinks that everyone is like you when in fact, no one wants to live even one second of their lives like you. The VAST majority of people like Microsoft and hteir products


I think the reference to Microsoft here might be to WGA (Windows Genuine Advantage). This was their anti-piracy software which has failed in numerous ways, not the least of which has been to flag non-pirated copies of Windows as invalid -- with something on the order of 20% of WGA violations being false positives.

As far as I'm concerned, this would classify as a failure and in fact Microsoft is slowly giving up on this. Portions of their products and website that use to require WGA validation are going away. A good example is the MS Office download portion of, where recently WGA checks have been removed and Microsoft is now offering document templates without any restrictions.


Little stretch there paulkevin...its different when you have a team of programmers that develop literally millions of lines of code and (probably) one or two f-ed up on this particular crypto-function.

These hackers know how try and break code, not necessarily how to be expert-writers. Think of it this way, if you know how to rip apart or destroy a car engine, that doesn't necessarily mean you can put it back together in a good working order...

  •  3vi1
  • 50.25% (Neutral)
  • Advanced Member

Sony's already running into problems with the suit: The judge says that "Sony has to show that George Hotz [...] has some connection to California if Sony is to claim damages for his work on the PS3."

Good luck on that.  As far as I know, George lives in New Jersey.  So much for Sony's tactic of suing out-of-state to cause financial duress to Hotz - they'll have to re-file in NJ.  If they file in any other location, particularly one with a history of stupidly defending IP like east-Texas, they'll prove they're douchebags.