Techdirt. Stories filed under "hack"

The 'Final' Sony PS3 Hack

Timothy Geigner — Thu, 25 Oct 2012 20:27:10 PDT

Sony's awesome freakout over folks "hacking" their PS3 product to return the functionality they originally advertised, but then retroactively took away, has been a long and often times hilarious saga. That said, all that freaking out occurred when the PS3 was still in its prime. Now that the console, while still the latest generation of Sony gaming console on the market, is clearly in its twilight years, it will be interesting to see how they react to what Sophos is reporting -- the Playstation 3 being "hacked for good".

The PS3 has been hacked before, but Sony was able to inhibit the hack with an update to its own firmware. This is much like the history of jailbreaking on Apple's iOS, where hackers typically uncover a security vulnerability and exploit it, whereupon Apple patches the hole and suppresses the jailbreak.

But the latest PS3 break is being dubbed unpatchable and the final hack. That's because this hack isn't giving you an exploit to use against a programming hole. It's giving you Sony's so-called LV0 (level zero) cryptographic keys.

If true, the war is over and Sony lost. Hacker collective, the Three Musketeers, reportedly figured this all out some time ago, but now the LV0 keys have been leaked and it's open season on jailbreaking your PS3 (assuming you're technical enough to implement it). And, while it would be very easy to sit back and comment gleefully on the wonderful spirit of curiosity that propels this kind of work, and to likewise point out the futility of stopping people from tinkering with the products they legally bought, I find a different point more compelling.

Quite simply, this war that Sony lost did not need to be fought. They advertised a feature and it was only the subsequent and unilateral removal of that feature, which many customers very much wanted, that created all of this controversy. Without that removal, how much litigation money does Sony save? Without being anti-consumer, how much ill-will do they avoid? And all of that to fight a battle that, not only did they lose, but that they had to know they were overwhelmingly likely to lose over the long haul. Sophos touches on this point in hoping for a different approach in the future.

Let's hope, when the PS4 comes out, that Sony will give up on trying to lock out jailbreakers permanently, and instead provide a way for those who want to run alternative software to do so in official safety.

When King Cnut famously ordered the tide back and failed, he wasn't an arrogant absolute ruler trying to show off. He knew he would fail, and thereby demonstrated that to hold back the tide was impossible - and, in any case, unnecessary - even for a king.

Once I got done snickering at the name King Cnut, I found the analogy perfectly fitting. Hopefully Sony will avoid this war entirely the next go around, though with their track record, I won't be holding my breath.

Permalink | Comments | Email This Story

FBI Denies That Hacked Apple Info Came From FBI

Mike Masnick — Tue, 4 Sep 2012 15:12:36 PDT

Earlier today, we wrote about Antisec releasing some Apple UDIDs to show that it had apparently collected info on 12 million Apple users, which it claims to have found when it hacked into an FBI's laptop. As we noted at the time, the file was called "NCFTA_iOS_devices_intel.csv," which implied that it came from the National Cyber-Forensics & Training Alliance, a vehicle set up to allow companies to share info with the government. However, the FBI is now flat out denying that any of its laptops had been hacked or that it had the info. Antisec is, to say the least, unimpressed: The FBI's denial comes after an earlier, weaker denial, in which they just said they had "no evidence" to support the story. Now they're saying it's "TOTALLY FALSE" (all caps for EMPHASIS). And, of course, Antisec folks are reminding the FBI (and the public) that they're still sitting on 3TB of additional data from this hack -- which suggests that they're planning to release more to prove that the hack really was of an FBI machine. Either way, now that the fight is happening on Twitter, it seems time to grab some virtual popcorn, sit back and watch the fireworks.

Permalink | Comments | Email This Story

Apple Plays Cat And Mouse With In-App Purchase Hacker

Zachary Knight — Fri, 20 Jul 2012 05:23:00 PDT

Piracy has been considered the bane of game developers for as long as games have existed. Over the years, many methods of fighting piracy or turning those who play for free into paying customers have come and gone. Some methods focused deterring pirates while others instead focused on maximizing profits. One of these profit maximizing endeavors, which recently gained traction with game developers, is the use of micro-transactions -- or as they are often called in the mobile world, "in-app purchases." This method of revenue generation was quickly accepted by many game developers, as it provided a way to distribute the game for free to as many people as possible with the prospect that enough of those free users would then buy in-game items with real money.

Because of this model of doing business, mobile phone producers (mainly Apple) have developed APIs that allow game developers to easily tie their in-game stores to Apple's payment processing and authentication services. While this method is not without its issues, it has been accepted as a relatively secure method of monetizing a game. That is, until one hacker named Alexey V. Borodin figured out a relatively simple way to spoof the purchases of in game items. Using this exploit, Alexey claims that as many as 30,000 transactions have been made since instructions went live.

In a follow up article, The Next Web reports that Apple has begun efforts to prevent the spread of this exploit. These efforts include blocking the IP address of the server Alexey was using, requesting the server be taken down by the Russian hosting company which owned it, sending take down notices to Youtube over videos providing instructions, and getting PayPal involved in shutting down the account Alexey was using to generate donations (a whopping $6.78 was raised according to that report). Apple also included the following statement:

The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.

Even with all these attempts at taking down Alexey's service, it still remains up and running for all willing iPhone users to take advantage of; that is, if those users are willing to risk their privacy and iTunes accounts to use it, something Alexey claims is not an issue.

While this exploit is very troubling on many levels, it really highlights the folly of relying on security through obscurity. Apple had the chance to secure its APIs long before this exploit happened. It has an opportunity to do so now. In fact, Alexy states that he is more than willing to talk about the issue with Apple. Unfortunately, Apple has not contacted him. While I can understand Apple's unwillingness to work directly with someone who openly exploits its services, it would be prudent to use all available options to end this exploit.

One would hope that game developers who feel threatened by this exploit will pressure Apple to fix the security issues in its APIs as well as provide some kind of training in best practices in securing in-app purchases. Of course game developers should also be doing their part to use all available tools to protect the integrity of their games as well -- something all software developers should do from the beginning.

Permalink | Comments | Email This Story

Hack Attack In South Korea Gets Access To Data On Over 70% Of Everyone In The Country

Mike Masnick — Fri, 29 Jul 2011 15:42:38 PDT

We've talked about some massive data breaches in the past, but a recent hack attack in South Korea apparently resulted in personal information on 35 million people being copied. The country has a population somewhere around 49 million... meaning that over 70% of South Koreans had their personal info copied by someone. Authorities are blaming China, though it's not clear if that's really the case. Either way, whoever did the hack got "user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses." At least the SSNs and passwords were encrypted, so it's not quite as bad as it could have been. But it basically sounds like if you have internet access in South Korea, someone probably got your data.

Permalink | Comments | Email This Story

Sony's Insurer Says It Shouldn't Have To Pay For Cost Of PlayStation Network Hack

Mike Masnick — Fri, 22 Jul 2011 15:28:00 PDT

Butcherer79 points to even more problems for Sony in the aftermath of the massive hacking of the PlayStation Network. It seems that Sony was expecting its insurance provider, Zurich American Insurance, to cover any costs. Zurich American Insurance apparently has other ideas:

Zurich American Insurance has now gone to court in New York seeking a declaration that it does not have to help Sony with current or future legal action related to the data breach.

Legal papers filed by Zurich reveal that 55 separate class action lawsuits are pending in the US because of the breach.

Sony has indicated that it expected Zurich to cover any such fees, but Zurich is saying no way, no how. Apparently, Zurich says that its contract with Sony doesn't even cover the parts of the business that were hacked, and other clauses in the deal show that this isn't Zurich's problem at all.

Permalink | Comments | Email This Story

Sony CEO: We Were Hacked By Freetards Who Just Want Everything Free

Mike Masnick — Wed, 29 Jun 2011 07:14:56 PDT

Ah, delusion in the CEO suite. Sony CEO Howard Stringer has been struggling to deal with the fact that pretty much everyone* in the tech world now hates his company. He famously called the month or so of downtime for the PlayStation Network, due to Sony's own failure to properly secure its servers, "a hiccup." He's also continued Sony's standard practice of going to war against makers, hackers and innovators, by trying to close off everything and then suing anyone who dares to try to do more with the products they thought they'd bought.

Stringer, at a recent Sony shareholder meeting, had to deal with critics concerning the PSN downtime, and his response was not to take any of the blame, or to admit that Sony might have been at fault, but rather to say that hackers pick on the company because it likes to "protect" its intellectual property:

"We believe that we first became the subject of attack because we tried to protect our IP (intellectual property), our content, in this case videogames," Stringer told shareholders at Tuesday's meeting in response to a question about the background to the incident.

Of course, that's an interesting version of revisionist history. There are all sorts of theories as to why Sony got hacked, with Occam and his trusty Razor suggesting the simplest answer: because Sony had crazy weak security that would allow malicious hackers to make off with useful information with which they could profit. But even if we grant Stringer's unsupported assertion was true, what set many people off (though, not necessarily these hackers) was the fact that Sony sued George Hotz for doing nothing more than helping to re-enable a feature that Sony had marketed as part of the PS3... and then had retroactively disabled. That's not "protecting Sony's IP." That's breaking a product and false advertising... and then suing people for trying to help make your products more valuable.

But Stringer apparently wasn't done there. You see, the real problem is just those damn freetards:

“These are our corporate assets,” Stringer told the meeting, “..and there are those that don’t want us to protect them, they want everything to be free.”

Seriously, Howard? This has absolutely nothing to do with people wanting stuff for free. People are pissed because you're suing people who are trying to improve your products -- the ones they actually paid for (yes, with real money). If anything, they want "free" as in speech, not free as in beer. They're looking for the freedom to tinker and to expand and to build.

And you're giving them the opposite.

And let's can the crap in which you pretend that Sony has to "protect" its intellectual property in this manner. It doesn't. You can treat customers right, even without being overprotective. Why, just look at Samsung, one of your biggest competitors. When it came out with a new device, rather than freaking out about people jailbreaking it, it sent free devices to some of the top modders, and asked them to mod and hack them faster...

That's called treating your community right, not treating them as criminals. It's not because people want everything to be free. People are quite often happy to pay for something of scarce value to them. Where they get upset is when you make that product less valuable by locking it down in anti-consumer ways.

So, no, you weren't hacked by freetards. You were hacked because you had dreadful security, and everyone's pissed not because they want stuff for free, but because you treat them like crap.

* Yes, slight exaggeration. But no more than calling over a month downtime on a popular gaming platform a "hiccup."

Permalink | Comments | Email This Story

Oh Look, Sony Hacked Again, Site Used For Phishing

Mike Masnick — Mon, 23 May 2011 04:43:31 PDT

Late on Friday, the news came out that Sony had been hacked yet again, and this time the hacked site was being used for phishing. This was totally unrelated to the PlayStation Network hacks, but involved a website for Sony Thailand. Still, given all the trouble Sony has had lately keeping its systems secure, this seems to just add another layer to the stack of questions about Sony's technical competence.

Permalink | Comments | Email This Story

Well, That Was Fast: Sony's New PSN System? Hacked!

Mike Masnick — Wed, 18 May 2011 11:46:38 PDT

So, it took a few weeks for Sony to get everything in order after its er... hiccup in exposing the details of everyone on the PlayStation Network. And, now it appears that the Japanese government's worries that Sony hadn't really fixed the problem or made its system secure appear to be coming true. There are reports this morning that the new password reset system has been exploited, such that you could change anyone's password if you have their email and date of birth. You know where you could have gotten that info? From the original hacked data. Right. *Hic*

Permalink | Comments | Email This Story

Sony CEO Howard Stringer: Month-long Hackathon Merely A 'Hiccup'

Tim Cushing — Wed, 18 May 2011 09:38:38 PDT

As we've all seen over the last thirty days or so, Sony has handled their month-long data breach/pwnage with all the grace and humility that one expects from an out-of-touch megacorporation. Between dismissing the breach as "harmless" and fingering the ever-popular "Anonymous" for all the trouble, Sony has managed to stay at least one step behind their attackers the whole way. To add insult to injurious class action lawsuit, it emerged from the 30-day hackout bruised, bleeding and completely unable to go back online in its own country.

CEO Howard Stringer apparently has come to the conclusion that there's still plenty of room for more foot in Sony's mouth, dismissing the longest outage by any console maker as merely a "hiccup in the road to a network future."

Now, I don't want to presume to speak for everybody, but generally when I have the hiccups (inside or outside of the road), it tends to leave the nearest 77 million people unaffected. Sure, I may get some random advice (drink a glass of water/hold your breath/salt your passwords), but otherwise life goes on and I'm the only one bothered by it. Plus, these hiccup attacks never run more than 10-12 days at the most and only rarely do I lay the blame at the feet of unrelated hacking entities.

Thank you, Howard, for clearing that up. I'll be sure to dismiss any unknown charges to my credit cards as mere "hiccups in the road to financial instability" and when my linked email account becomes a spam-spewing zombie, I'll just hold my breath until it all goes away.

Permalink | Comments | Email This Story

PlayStation Network Coming Back Online Post Hack... But Not In Japan

Mike Masnick — Tue, 17 May 2011 06:08:00 PDT

There have been a bunch of stories about how Sony is finally bringing its PlayStation Network back online (though, the funniest headline I've seen is the BBC's which claims that Sony is "relaunching" the PSN, as if it's a marketing thing...). However, it appears that the gradual comeback is not coming to Japan just yet, as the government is not yet comfortable that Sony can really protect its users:

"We met with Sony on May 6 and 13, and basically we want two things from them," Kazushige Nobutani, director of the Media and Content Industry department at the Ministry of Economy, Trade and Industry, told Dow Jones Newswires.

He listed two areas where it requires further explanation before approval will be given following the incidents regarding its PlayStation Network and Sony Online Entertainment videogame services.

"The first is preventative measures. As of May 13, Sony was incomplete in exercising measures that they said they will do on the May 1 press conference," he said, adding that he could not provide details on the outstanding issues for security reasons.

The second was in how Sony hoped to regain consumer confidence over personal data such as credit card information.

"There were similar cases in the past that were caused by other firms, and we are asking Sony whether their measures are good enough when compared to countermeasures taken in the past," he said.

Permalink | Comments | Email This Story

Sony Trying To Play Whac-A-Mole Over PS3 Hack

Mike Masnick — Mon, 31 Jan 2011 15:58:11 PST

You would think that Sony, of all companies, would know better than to overreact to a DRM issue -- given its experience with the infamous CD rootkit a few years back. However, the company can't seem to resist making itself look foolish. Beyond seeking to gag the guy who figured out how to get around Sony's digital locks on the PS3 to re-enable the "Other OS" functionality that Sony remotely disabled, it's now sending DMCA takedowns to GitHub (and possibly others) ordering them to remove repositories of code around such cracks (found via Slashdot). I'm really curious how Sony and its lawyers could possibly think all of this is a good idea. It's not like any of these efforts will actually slow down or stop these cracks getting out there and used. In fact, all it does is call that much more attention to these hacks, and convince more people to either get involved or just to use them.

Permalink | Comments | Email This Story

In Case You Didn't Know... People Hack Email Accounts All The Time

Mike Masnick — Tue, 8 Sep 2009 22:17:00 PDT

Almost exactly a decade ago, we wrote about how it was quite easy for people to get passwords from AOL users. Somehow, somewhere, for many years, that post was one of the top results for people searching on "steal AOL passwords," meaning that (to this date) it's been one of our most commented on posts, with tons of clueless individuals asking in the comments how to steal someone's password. So, it wasn't much of a surprise to me to find out that there are a bunch of services out there doing a brisk business in selling the ability to hack email accounts for about $100 per account (cheaper in some cases), and there really isn't that much to be done about it. It's not a big enough problem for authorities to really care about. Even if they did crack down, it wouldn't stop the activity at all -- others would quickly pop up offering the same thing. Still, it's fascinating to see how blatant some of the services are in advertising their wares. You would think that they'd try to be at least a little subtle. However, I guess with so little likelihood of getting in trouble for it, those offering such services don't see any advantage in not being upfront.

Permalink | Comments | Email This Story

AT&T And T-Mobile Pay Up For Not Being Truthful About Voicemail Hackability

Mike Masnick — Mon, 15 Dec 2008 22:50:42 PST

Many mobile phones' voicemail systems have worked on the basis of checking the caller ID of the incoming caller -- and if it matched the number of the voicemail box, it would automatically push the caller through to the admin interface. The idea was that if the owner of the box was calling, he or she shouldn't have to put in the passcode to get to the messages. The only problem with this was that, if anyone could spoof your caller ID, they could access your voicemail. After a few high profile such voicemail attacks, many mobile operators urged customers to change their voicemail preferences to require a passcode, no matter what. Still, there were some operations out there, that went under names like SpoofCard, Love Detect and Liar Card, that would spoof a caller ID to get access to a voicemail box. The company behind them has been fined, but what may be more interesting is that T-Mobile and AT&T were also both fined for apparently being misleading about their susceptibility to the hack.

That seems a bit strange, and the article is woefully short on details, unfortunately. Pretty much anything is hackable given certain circumstances, and it always seems a bit odd to totally blame a hacking victim for being hacked. So it would be good to know why T-Mobile and AT&T, in particular, were fined in this case. Did they not even allow passcodes to be enabled for those who wanted to avoid this potential hack?

Permalink | Comments | Email This Story