GeoHot Sounds Off on Sony's PSN Debacle
Fresh out of a fierce legal battle with Sony, noted hacker George "GeoHot" Hotz has some words to say on the hardware giant's PS3 woes.
Though it may seem longer, it hasn't even been a month since George Hotz and Sony posted them on his blog [http://www.escapistmagazine.com/news/view/109150-GeoHot-and-Sony-Settle-PS3-Jailbreak-Case].
At the outset, Hotz emphatically denied any involvement with the PSN hack. "I'm not crazy, and would prefer to not have the FBI knocking on my door," he said, adding that he saw a clear distinction between hacking a device you owned and paid for and hacking someone else's database to steal the personal information of millions. "And, as a onetime victim of identity theft, I feel for everyone who's data has been stolen."
Nor does he fault the Sony engineers who designed the PS3 infrastructure, "the same way I do not fault the engineers who designed the BMG rootkit." Rather, said Hotz, the blame should be directed at the top, at Sony's executives who decided that the hacker community was their enemy, and who "laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts."
The meat of Hotz' post, however, is a giant discussion of how he feels Sony's arrogance and belief that it owns PS3s it sells to consumers is at the core of this attack. It is quoted in full below:
[blockquote]Now until more information is revealed on the technicals, I can only speculate, but I bet Sony's arrogance and misunderstanding of ownership put them in this position. Sony execs probably haughtily chuckled at the idea of threat modeling. Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client(can't trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server?
This arrogance undermines a basic security principle, never trust the client. It's the same reason MW2 was covered in cheaters, EA [sic - should be Activision?] even admitted to the mistake of trusting Sony's client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you. Notice it's only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren't crazy.[/blockquote]
Hotz finished his post with a message to whoever it was that cracked into Sony's system. While he acknowledged that the perpetrator was "clearly talented" and would either have "plenty of money (or a jail sentence and bankruptcy)" coming his or her way in the future, the hacker had forgotten Wheaton's Law [http://twitter.com/#!/wilw/status/5966220832]: "Don't be a dick" by selling personal information.
That said, Hotz admitted that he would love to see a write-up of how the hacker breached the system. "[Lord] knows we'll never get that from Sony, noobs probably had the password set to '4' or something."
(GeoHotgotsued [http://geohotgotsued.blogspot.com/2011/04/recent-news.html])
Permalink
Though it may seem longer, it hasn't even been a month since George Hotz and Sony posted them on his blog [http://www.escapistmagazine.com/news/view/109150-GeoHot-and-Sony-Settle-PS3-Jailbreak-Case].
At the outset, Hotz emphatically denied any involvement with the PSN hack. "I'm not crazy, and would prefer to not have the FBI knocking on my door," he said, adding that he saw a clear distinction between hacking a device you owned and paid for and hacking someone else's database to steal the personal information of millions. "And, as a onetime victim of identity theft, I feel for everyone who's data has been stolen."
Nor does he fault the Sony engineers who designed the PS3 infrastructure, "the same way I do not fault the engineers who designed the BMG rootkit." Rather, said Hotz, the blame should be directed at the top, at Sony's executives who decided that the hacker community was their enemy, and who "laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts."
The meat of Hotz' post, however, is a giant discussion of how he feels Sony's arrogance and belief that it owns PS3s it sells to consumers is at the core of this attack. It is quoted in full below:
[blockquote]Now until more information is revealed on the technicals, I can only speculate, but I bet Sony's arrogance and misunderstanding of ownership put them in this position. Sony execs probably haughtily chuckled at the idea of threat modeling. Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client(can't trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server?
This arrogance undermines a basic security principle, never trust the client. It's the same reason MW2 was covered in cheaters, EA [sic - should be Activision?] even admitted to the mistake of trusting Sony's client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you. Notice it's only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren't crazy.[/blockquote]
Hotz finished his post with a message to whoever it was that cracked into Sony's system. While he acknowledged that the perpetrator was "clearly talented" and would either have "plenty of money (or a jail sentence and bankruptcy)" coming his or her way in the future, the hacker had forgotten Wheaton's Law [http://twitter.com/#!/wilw/status/5966220832]: "Don't be a dick" by selling personal information.
That said, Hotz admitted that he would love to see a write-up of how the hacker breached the system. "[Lord] knows we'll never get that from Sony, noobs probably had the password set to '4' or something."
(GeoHotgotsued [http://geohotgotsued.blogspot.com/2011/04/recent-news.html])
Permalink