Support NeoGAF

[Metalmurphy]

You know what I find funny?

When this happens, and the console can run signed code sent by Sony, everyone is worried about the supposed security hole.

But when an exploit is found that can run unsigned code made by anyone, no one gives a shit about the real security hole, all it matters then is that it can lead to CFW!!

Except, of course, from what's been said this doesn't require you to log in to PSN. And no, that doesn't make it right either, in the same way that websites you connect to aren't allowed to send you arbitrary code to execute when you log in.

Actually, they are allowed, and they can, if you agree too it. It's what happens when you accept a Java or an ActiveX app.

 

[LiquidMetal14]

I hope you're being ironic.

Lots of sarcasm is about. You just have to filter out and read the more logical responses. You're an alright chap, I get your concerns but rest easy. Some have put it quite simply in this thread. Some are just mad about Sony doing this to shore up their security on PSN mainly.

 

[LiquidMetal14]

You know what I find funny?

When this happens, and the console can run signed code sent by Sony, everyone is worried about the supposed security hole.

But when an exploit is found that can run unsigned code made by anyone, no one gives a shit about the real security hole, all it matters then is that it can lead to CFW!!

This just echoes my point of asking yourself this - Do you want official manufacturer FW or Charlie from the basement with 10 computers FW? What is the higher risk?

 

[TheSeks]

So... basically: Sony now has something similar to XBL that was there on the OG X-box.

Their ultimatum: Homebrew or PSN. You don't get both.

... I'mokaywiththis.jpg

And I'm a homebrew defender. I don't like the "rootkit" fiasco going on in here, but if you want PSN access you need to lose the homebrew to continue to use it (or hope you can find a stealth way through the checks). If you want the homebrew it's time to go dark.

You know when you installed that/GeoHot's firmware that something like this would happen.

What is the higher risk?

Sony's, they've bricked a bunch of consoles during firmware updates over the years, as opposed to Johnny Basement's firmware that only bricks maybe one to five percent of the updaters before they make an "idiot proof"/safe firmware update version.

 

[rager]

I was going to mod my ps3 mainly for the hope of MKV support. But after all of this it is not worth it. I have two ps3 but I paid alot of money for them and I do not want to anything that will put me under the ban hammer.

It is going to be so fun to see all the whiners when sony lays the smackdown on the "Homebrewers/Pirates".

 

[NHale]

Does anyone else still remember the days of the "Sony is doomed. PS4 will be released in 2011" or "Sony can't do shit. Firmwares will not work. We have the private keys, we will always be free to do whatever we want"? Apparently "war" changes...

 

[The Faceless Master]

You know what I find funny?

When this happens, and the console can run signed code sent by Sony, everyone is worried about the supposed security hole.

But when an exploit is found that can run unsigned code made by anyone, no one gives a shit about the real security hole, all it matters then is that it can lead to CFW!!

it's pretty hypocritical.

i doubt Sony even lets it have permission to have write access to anything other than RAM. i mean, if they did, what if someone reverses it and finds a way to jalbreak over the internet? they could just set up a proxy server that jailbreaks PS3's automatically...

 

[N.A]

You know what I find funny?

When this happens, and the console can run signed code sent by Sony, everyone is worried about the supposed security hole.

But when an exploit is found that can run unsigned code made by anyone, no one gives a shit about the real security hole, all it matters then is that it can lead to CFW!!

The people who are using CFW are not bothered about this as it doesn't affect us (we'll get an offline CFW with this patched out). This affects people on official firmware.

 

[Argyle]

BTW I wonder where the outrage was when MS decided to "auto update" people's 360s when they were banned, I think they changed their keyvault so that locally signed content (game saves etc.) could no longer be read on other consoles...

 

[WinFonda]

It's funny to me that many of the people who are concerned about this security hole will happily use some random dude's custom firmware and some random dude's DNS server.

Well gosh, that random dude is more like a high roller friend letting me drive around in his ferrarri. How can I not trust that guy?

 

[DonMigs85]

That wouldn't be a bad thing. Banning cheaters from PSN would be a good thing. A program that can execute code and install things without your consent would be a bad thing.

While you may own the physical console, Sony still owns the OS running on it and controls PSN, so it's really within their rights to run checks like this.
Also whether or not a TOS is enforceable where you live, Sony is still free to ban your account if they see fit.

 

[LiquidMetal14]

The people who are using CFW are not bothered about this as it doesn't affect us (we'll get an offline CFW with this patched out). This affects people on official firmware.

I like legit people like you and the ones who understand the rules in place for logging to PSN. I really do

Well gosh, that random dude is more like a high roller friend letting me drive around in his ferrarri. How can I not trust that guy?

What kind of insurance does he have though?

It better not be that cheap PLDP tripe!

 

[itxaka]

You know what I find funny?

When this happens, and the console can run signed code sent by Sony, everyone is worried about the supposed security hole.

But when an exploit is found that can run unsigned code made by anyone, no one gives a shit about the real security hole, all it matters then is that it can lead to CFW!!



Actually, they are allowed, and they can, if you agree too it. It's what happens when you accept a Java or an ActiveX app.

User interaction is the difference here. One, the user chooses to install with all the consecuences. In the other case, no user interaction is needed.

Come on son, you are smarter than that

 

[Metalmurphy]

The people who are using CFW are not bothered about this as it doesn't affect us (we'll get an offline CFW with this patched out). This affects people on official firmware.

Correct me if I'm wrong but, 3.56 users can no longer install CFW right? Hypothetically a 3.56 exploit could be found which leads to CFW and the point I was making. No one would care and they'd actually be happy about it.

User interaction is the difference here. One, the user chooses to install with all the consecuences. In the other case, no user interaction is needed.

Come on son, you are smarter than that

You can choose to not install 3.56, you can also choose not to connect it to the internet.

 

[The Faceless Master]

BTW I wonder where the outrage was when MS decided to "auto update" people's 360s when they were banned, I think they changed their keyvault so that locally signed content (game saves etc.) could no longer be read on other consoles...

there was outrage,and the only thing MS reversed course on was HDD installs being disabled. which most agree with, as HDD installs have nothing to do with Xbox Live.

 

[Raist]

Sony's, they've bricked a bunch of consoles during firmware updates over the years, as opposed to Johnny Basement's firmware that only bricks maybe one to five percent of the updaters before they make an "idiot proof"/safe firmware update version.

I don't remember any OFW bricking 100% of consoles have a set of defined serials.

 

[kamorra]

BTW I wonder where the outrage was when MS decided to "auto update" people's 360s when they were banned, I think they changed their keyvault so that locally signed content (game saves etc.) could no longer be read on other consoles...

I wonder why the (GAF) outrage over this is so much bigger than the one over 360 and Wii piracy.

 

[iapetus]

You know what I find funny?

When this happens, and the console can run signed code sent by Sony, everyone is worried about the supposed security hole.

But when an exploit is found that can run unsigned code made by anyone, no one gives a shit about the real security hole, all it matters then is that it can lead to CFW!!

Quit it with your shitty attempts to conflate entirely different scenarios.

When an exploit is found that lets you choose to run unsigned code and make the informed decision to take the risk to do so, that is one thing.

When an exploit is created that allows someone to run arbitrary code on your hardware without your permission and without your knowledge of what it does, then that is an entirely different scenario.

Actually, they are allowed, and they can, if you agree too it. It's what happens when you accept a Java or an ActiveX app.

Not just by connecting to the website to carry its normal use. And you have the ability to sandbox the apps (all Java apps will be sandboxed) and/or refuse them access to your system.

 

[NHale]

I don't remember any OFW bricking 100% of consoles have a set of defined serials.

Don't give them any ideas.

 

[Grampa Simpson]

Oh, so all a hacker has to do is compromise the playstation network, find and use the tools that create the auto run software, create something malicious, distribute it through PSN, and then all playstations turn into spam zombies. All without sony noticing. Seems likely as fuck, IMO.

Have you ever met a hacker before?

Step 1 is the only deterrent, and that should happen fairly soon. By the time they finish step one, everything else will be ready to go.

 

[tzare]

The people who are using CFW are not bothered about this as it doesn't affect us (we'll get an offline CFW with this patched out). This affects people on official firmware.

i use OFW and i am not worried AT ALL.

 

[The Faceless Master]

I wonder why the (GAF) outrage over this is so much bigger than the one over 360 and Wii piracy.

the same reason there was more outrage over DC piracy than PS2... when a platform is doing well, people don't blame piracy for failure.

 

[DonMigs85]

I was going to mod my ps3 mainly for the hope of MKV support. But after all of this it is not worth it. I have two ps3 but I paid alot of money for them and I do not want to anything that will put me under the ban hammer.

It is going to be so fun to see all the whiners when sony lays the smackdown on the "Homebrewers/Pirates".

Yeah, especially after seeing them act so smug and over-entitled. All for the sake of their precious emulators and backup managers (because apparently they're too lazy to get up off the couch and swap discs. I might be more understanding if their BD drives are actually dead).

 

[TheSeks]

I don't remember any OFW bricking 100% of consoles have a set of defined serials.

And that 100% is less if you aren't an idiot and go "CFW! *jumps on the newest*"

You wait for the people that make the code to test it and declare it okay to update before doing it.

Meanwhile, Sony:

"New firmware."
"ZOMG SAFE!"
(bricks)

 

[kamorra]

Also whether or not a TOS is enforceable where you live, Sony is still free to ban your account if they see fit.

Well that wouldn't be a problem as long as there will be a way that I can access my bought PSN games. I don't argue against banning people from PSN because the cheat, hack or whatever.

 

[Jinfash]

I'd really like it if more people with firm knowledge about the contents of the update would share more info.

This thread is yet again being flooded with the morality discussions, and unnecessary declarations of personal stances on jailbreaking. We've literally went through this many, many, times and it's getting really annoying. I know that there's already an official safe haven for CFW talk, but this is new news, it deserves its own thread, and I feel that the rules of the official CFW thread should extend to it.

 

[squatingyeti]

Does anyone else still remember the days of the "Sony is doomed. PS4 will be released in 2011" or "Sony can't do shit. Firmwares will not work. We have the private keys, we will always be free to do whatever we want"? Apparently "war" changes...

Erm, they do have the private keys and they will always be free to do whatever they want. That does not mean Sony can't see what they've done and ban them from PSN. What you mainly have here is Sony temporarily silencing one of the main players by court (geohot) and the other players technically silenced temporarily if they live in the US.

 

[jcm]

T
I still don't like that Sony could run code on my system even if I login to PSN. I like to approve anything that runs on it and I don't like not know what it does. If it start scanning through my hard drive connected to my PS3 I'd be pissed.

Then you should only run an open source OS on a PC. You have been running arbitrary Sony code without knowing what it does since day 1. You also run arbitrary MS code on 360s and PCs, and arbitrary Apple code on macs and iPhones, etc.

 

[mclem]

are you kidding? what a strawman argument if ever i saw one


have you not read how routers work. routers block ports. it would typically BLOCK the psn port, you open that port the ps3 is allowed BUT hackers can see it

until now it may have been protected, now it *may* (rumor) have a rootkit which is a trojan to allow remote execution of code

that is a big issue

Assuming it works as described here, this would only happen if the potential hacker was able to spoof themselves as a PSN login server; as I understand it from the descriptions, it's not "the port is always open and awaiting pushes of code", it's "Once you have established a connection to a PSN server, the PS3 will download and execute a block of code from the server".

And, to be fair, if a hacker *is* spoofing themselves as a login server on your network... your network's already compromised. Sorry.

Apologies if I'm incorrect, mind. I'm just going based on what I've read.


Edit: And that's what I get for being stuck on the first page. Sorry!

 

[The Faceless Master]

Well that wouldn't be a problem as long as there will be a way that I can access my bought PSN games. I don't argue against banning people from PSN because the cheat, hack or whatever.

they don't delete the games when they ban you.

 

[LiquidMetal14]

And that 100% is less if you aren't an idiot and go "CFW! *jumps on the newest*"

You wait for the people that make the code to test it and declare it okay to update before doing it.

Meanwhile, Sony:

"New firmware."
"ZOMG SAFE!"
(bricks)

I get what you're saying but do you not think Sony tests these FW's with all model PS3's and in different environments before releasing to the public? I'm pretty sure that's a yes as opposed to Charlie from the basement with 10 computers and 3 routers who codes something and says "oh sorry guys, I forgot this one thing so if if bricks your system, the next update will patch that up". So only a few dozen homebrew followers/testers are affected. It's all for the cause right? It's just too risky. Not hating on you btw just trying to convey my point.

Again, the inherent risks of updating any kind of FW are always there. I just trust the original manufacturer more than a hacker.

 

[squatingyeti]

Yeah, especially after seeing them act so smug and over-entitled. All for the sake of their precious emulators and backup managers (because apparently they're too lazy to get up off the couch and swap discs. I might be more understanding if their BD drives are actually dead).

Because that's all CFW will ever bring. How long will this ridiculous train of thought continue? I imagine back in the day of the original Xbox, all that was going to come of the hack was booting games and emulators. What do you mean XBMC? Never heard of it.

 

[Beer Monkey]

I am connecting to their service, so that is why PS3 rings home. What is the point to have your ps3 online unless you want to connect to PSN?

DLNA.

 

[kamorra]

they don't delete the games when they ban you.

I never believed that they do. I'm just saying that they should ban consoles and not accounts. Like MS.

 

[Oni Jazar]

And that 100% is less if you aren't an idiot and go "CFW! *jumps on the newest*"

You wait for the people that make the code to test it and declare it okay to update before doing it.

Just what... last week?... there was a CFW that the guy released which began bricking a bunch of systems..

As a developer of complex systems, I know accidents happen, but who has the stronger safety measure? A company with multiple dedicated testing staff or one dude with maybe a few of his buddies?

 

[Metalmurphy]

Quit it with your shitty attempts to conflate entirely different scenarios.

When an exploit is found that lets you choose to run unsigned code and make the informed decision to take the risk to do so, that is one thing.

When an exploit is created that allows someone to run arbitrary code on your hardware without your permission and without your knowledge of what it does, then that is an entirely different scenario.

It's as shitty as the one you just made. For example, you just called what Sony made an exploit without even knowing if it actually is one. And again you choose to install this firmware update. You choose connect it to PSN.

Not just by connecting to the website to carry its normal use. And you have the ability to sandbox the apps (all Java apps will be sandboxed) and/or refuse them access to your system.

If you accept it the first time then all other times after that it will be just by it's normal use. No different then accepting to install this firmware.

I never believed that they do. I'm just saying that they should ban consoles and not accounts. Like MS.

It's what they do. Even on the PSN ban the msg you get is something about your console and not the actual account. Not sure if they do both though.

 

[Vagabundo]

Then you should only run an open source OS on a PC. You have been running arbitrary Sony code without knowing what it does since day 1. You also run arbitrary MS code on 360s and PCs, and arbitrary Apple code on macs and iPhones, etc.

I run Ubuntu on all my computers. I have a winXP partition for gaming with nothing on it really except steam.

 

[The Faceless Master]

I never believed that they do. I'm just saying that they should ban consoles and not accounts. Like MS.

oh. well, it's up to them, but yeah, i agree.

 

[iapetus]

Assuming it works as described here

It doesn't.

 

[SolidSnakex]

I never believed that they do. I'm just saying that they should ban consoles and not accounts. Like MS.

That's what they would be doing. It wouldn't matter if they banned account anyway since any game on your harddrive is playable in any account that you select.

 

[test_account]

Taken from the PS3 CFW thread:

Except where it says:

The Sony rootkit is designed to hide any files, registry keys and processes whose name starts with the string $sys$, making it very easy for writers of worms and other malware to also hide their files by simply using the same name. Within weeks there were several trojans and worms taking advantage of this functionality in machines already compromised by the Sony rootkit.

Zing.

Assuming that the PS3 now has a similar rootkit as the audio-CD rootkit, would it be possible to get trojans and malware on the PS3? If so, how is this possible? I'm wondering about this. On PS3 CFW i can see that it is possible because people can develope their own PS3 programs, put it online and people can download it and run it. But what about PS3 consoles that hasnt been hacked/modified at all? But as with all "private" software, we should be careful about what we install

 

[Raist]

Quit it with your shitty attempts to conflate entirely different scenarios.

When an exploit is found that lets you choose to run unsigned code and make the informed decision to take the risk to do so, that is one thing.

When an exploit is created that allows someone to run arbitrary code on your hardware without your permission and without your knowledge of what it does, then that is an entirely different scenario.

For all we know snes_emulator_v1.4.pkg logs every single password you type in the PS3 browser, your PSN account info and credit card details, and uploads it on a server. Given how the PS3's security has been completely cracked open with CFW, that is entirely possible.
Actually way more possible than someone hacking the PSN and running malicious code on your PS3 (with keys that can't be obtained anymore but nvm) through this FW update.

So why exactly are people freaking out now but are A-OK with CFW?

 

[LiquidMetal14]

Taken from the PS3 CFW thread:


Assuming that the PS3 now has a similar rootkit as the audio-CD rootkit, would it be possible to get trojans and malware on the PS3? If so, how is this possible? I'm wondering about this. On PS3 CFW i can see that it is possible because people can develope their own PS3 programs, put it online and people can download it and run it. But what about PS3 consoles that hasnt been hacked/modified at all? But as with all "private" software, we should be careful about what we install

You just have to assume they learned from their mistakes. And this is a whole lot more complicated than the CD rootkit. But is this a rootkit now? Or is it FUD at this point?

 

[Zoe]

That's good to hear. More power to them. The good guys. Can I donate to them? I'd like to do donate to them.

If you want them to get sued.

 

[N.A]

Correct me if I'm wrong but, 3.56 users can no longer install CFW right? Hypothetically a 3.56 exploit could be found which leads to CFW and the point I was making. No one would care and they'd actually be happy about it.

With this "rootkit" Sony can detect any modification to 3.56 if you connect to PSN. There is no reliable way to block this (Sony can just keep modifying the code).

A 3.56 CFW is possible but would not pass any checks when connecting to PSN.

As someone who uses CFW I always accepted that I would lose PSN access (and Sony have every right to do this). This "rootkit" (if you can call it that) is a very effective way for Sony to achieve this.

Whether Sony is right to do this is another matter. Their history of of protecting "unbreakable" security isn't exactly great...

 

[kamorra]

That's what they would be doing. It wouldn't matter if they banned account anyway since any game on your harddrive is playable in any account that you select.

It would matter. You couldn't use your account on another PS3 or a potential PS4. Yeah, I know you could make a backup of your PS3 hdd. But that never really worked for me.

 

[Metalmurphy]

For all we know snes_emulator_v1.4.pkg logs every single password you type in the PS3 browser, your PSN account info and credit card details, and uploads it on a server. Given how the PS3's security has been completely cracked open with CFW, that is entirely possible.
Actually way more possible than someone hacking the PSN and running malicious code on your PS3 (with keys that can't be obtained anymore but nvm) through this FW update.

So why exactly are people freaking out now but are A-OK with CFW?

You're gonna get the "you get to choose" response.

 

[DonMigs85]

Because that's all CFW will ever bring. How long will this ridiculous train of thought continue? I imagine back in the day of the original Xbox, all that was going to come of the hack was booting games and emulators. What do you mean XBMC? Never heard of it.

We'll have to see how this all plays out because right now there isn't really any great homebrew, and it may not get a chance to blossom. A video converter ala Handbrake that can put Cell to good use would be nice, for starters.

 

[Argyle]

Erm, they do have the private keys and they will always be free to do whatever they want. That does not mean Sony can't see what they've done and ban them from PSN. What you mainly have here is Sony temporarily silencing one of the main players by court (geohot) and the other players technically silenced temporarily if they live in the US.

For all the mistakes Sony has made on the PS3 security, I think it extremely unlikely that they would not sign this check (not to mention all future games) with a new private key.

The bug in their signing algorithm has reportedly been fixed, so it's unlikely the hackers will be able to derive the new private key, IMHO (certainly not using the same technique).

 

[Vagabundo]

So why exactly are people freaking out now but are A-OK with CFW?

What does this have to do with CFW?

I don't run it. And millions of other people who install this update aren't running it either.In fact the people okay with CFW are waiting to have a scrubbed version of this update. So the only people affected will be OFW users like me.

For all the mistakes Sony has made on the PS3 security, I think it extremely unlikely that they would not sign this check (not to mention all future games) with a new private key.

The bug in their signing algorithm has reportedly been fixed, so it's unlikely the hackers will be able to derive the new private key, IMHO (certainly not using the same technique).

You'll excuse me, I'm sure, if my faith in Sony's security is at a low ebb right now.