Support NeoGAF

[kamorra]

For all we know snes_emulator_v1.4.pkg logs every single password you type in the PS3 browser, your PSN account info and credit card details, and uploads it on a server. Given how the PS3's security has been completely cracked open with CFW, that is entirely possible.
Actually way more possible than someone hacking the PSN and running malicious code on your PS3 (with keys that can't be obtained anymore but nvm) through this FW update.

So why exactly are people freaking out now but are A-OK with CFW?

It would be pretty easy to spot something like that.

 

[Grampa Simpson]

Correct me if I'm wrong but, 3.56 users can no longer install CFW right? Hypothetically a 3.56 exploit could be found which leads to CFW and the point I was making. No one would care and they'd actually be happy about it.

You're wrong. 3.56 does nothing to stop you from installing custom firmware. A 3.56 console can run all the custom firmware that 3.55 can. What 3.56 does is it give PSN the ability to remotely install new code on the PS3 without user interaction. The intended use of this would be for Sony to upload a bit of code to your console that runs a quick hash check on all of the executables on your hard drive and then sends them back to Sony. Sony could then use those hash values to see if you have anything installed that they haven't officially signed. Then they can remotely delete that software and reboot your console. They're theoretically unmodding your console remotely.

The problem is that they've done it in such a way that someone malicious could theoretically use that same method to brick any 3.56 PS3 that connects to PSN.

 

[Bojanglez]

Then you should only run an open source OS on a PC. You have been running arbitrary Sony code without knowing what it does since day 1. You also run arbitrary MS code on 360s and PCs, and arbitrary Apple code on macs and iPhones, etc.

Exactly, if you can't trust the company that creates the OS to maintain their own OS then you should seriously think twice before buying anything with that OS on.

If it was an another company installing something on Sony's OS then I can understand the outcry, but crying about Sony making an update to their own OS is absurd.

 

[Metalmurphy]

You just have to assume they learned from their mistakes. And this is a whole lot more complicated than the CD rootkit. But is this a rootkit now? Or is it FUD at this point?

Both situations are so different that it doesn't even compare. Two completely different machines. I mean, have you ever heard of a virus for PS3? Yet you heard of countless ones for PC without that rootkit. To say that this update will lead to malware n stuff based on the 2005 rootkit makes no sense.

 

[gregor7777]

I never believed that they do. I'm just saying that they should ban consoles and not accounts. Like MS.

I posted it earlier, but I don't think they should "ban" anything. Just don't allow systems with CFW to connect. Allow that console to switch back to OFW and connect at will.

Can anyone see a problem with this?

I can still play my legally obtained games online, and still enjoy CFW when I want to without worry. Cheating is gone, hacks are gone, etc.

 

[Oni Jazar]

Can we stop calling this a damn rootkit? This is a Sony OS with Sony system calls to phone home. Just about every modern online system does this.

 

[The Faceless Master]

Taken from the PS3 CFW thread:


Assuming that the PS3 now has a similar rootkit as the audio-CD rootkit, would it be possible to get trojans and malware on the PS3? If so, how is this possible? I'm wondering about this. On PS3 CFW i can see that it is possible because people can develope their own PS3 programs, put it online and people can download it and run it. But what about PS3 consoles that hasnt been hacked/modified at all? But as with all "private" software, we should be careful about what we install

it would be possible if someone had an open wifi with their own special routing and someone else connected their PS3 to leech off the person's Wifi...or if someone pulled off a DNS cache poisoning attack and had all their ducks in a row and people connected to the PSN using the comprimised DNS entries...

technically possible, but realistically.. never gonna happen.

 

[kamorra]

We'll have to see how this all plays out because right now there isn't really any great homebrew, and it may not get a chance to blossom. A video converter ala Handbrake that can put Cell to good use would be nice, for starters.

To make backups of your DVDs? Why would you need that?

 

[Raist]

And that 100% is less if you aren't an idiot and go "CFW! *jumps on the newest*"

You wait for the people that make the code to test it and declare it okay to update before doing it.

Meanwhile, Sony:

"New firmware."
"ZOMG SAFE!"
(bricks)

That's not what I'm talking about. There's a certain %age of risk of bricking a piece of hardware when you flash it's FW/Bios etc. This can be due to mistakes, but most of the time it's not 100% under control
No OFW ever bricked 100% of consoles with 256megs NAND, for instance. While with some guy's (forgot his name) FW, it did. Whether you install or not is irrelevant in that case.

 

[iapetus]

It's as shitty as the one you just made. For example, you just called what Sony made an exploit without even knowing if it actually is one. And again you choose to install this firmware update. You choose connect it to PSN.

<sigh>

We've been over this and you're never going to get it. If Sony say "You must install this update in order for your console to continue working as it did when we sold it to you, and you no longer have the option to reject this arbitrarily changed agreement and return your hardware for a refund" then it's not an entirely free choice. By updating you lose functionality or enable undesirable features. By not updating you lose the ability to access certain features of games that you've paid for in good faith, and the ability to play back media that you've paid for in good faith.

As a consumer, I dislike the precedent this sets. As a consumer, you don't give a toss. That's going to be the way it is. You're perfectly happy with measures being taken that treat you as a potential criminal by default, and I'm not. I think consumers should have certain rights protected regarding things that they've bought for a substantial amount of money. You don't.

We're just going to have to agree to differ on this, because neither of us seems willing to move from their position on the matter. I value keeping certain of my rights (for example, the right not to have functionality that I paid for and used removed from a product without my consent because of something that I neither did nor intended to do with it) over certain conveniences that you value more highly.

If you accept it the first time then all other times after that it will be just by it's normal use. No different then accepting to install this firmware.

Wrong again.

 

[Argyle]

You're wrong. 3.56 does nothing to stop you from installing custom firmware. A 3.56 console can run all the custom firmware that 3.55 can. What 3.56 does is it give PSN the ability to remotely install new code on the PS3 without user interaction. The intended use of this would be for Sony to upload a bit of code to your console that runs a quick hash check on all of the executables on your hard drive and then sends them back to Sony. Sony could then use those hash values to see if you have anything installed that they haven't officially signed. Then they can remotely delete that software and reboot your console. They're theoretically unmodding your console remotely.

The problem is that they've done it in such a way that someone malicious could theoretically use that same method to brick any 3.56 PS3 that connects to PSN.

I believe you are wrong in this case, I think Sony have changed the private key for PS3 firmware updates as well, so people trying to sign FW updates with the old keys will not be able to install on 3.56.

The new keys are unknown and since Sony has fixed the bug in the signing algorithm, it is unlikely that the hackers will be able to derive them. There may be other exploits in 3.56 that allow CFW but all the current ones seem to have been patched, so if you're on 3.56 OFW, for now you will not be able to install CFW.

 

[Grampa Simpson]

I run Ubuntu on all my computers. I have a winXP partition for gaming with nothing on it really except steam.

Hey Linux buddy. I do the same thing.

 

[Metalmurphy]

You're wrong. 3.56 does nothing to stop you from installing custom firmware. A 3.56 console can run all the custom firmware that 3.55 can. What 3.56 does is it give PSN the ability to remotely install new code on the PS3 without user interaction. The intended use of this would be for Sony to upload a bit of code to your console that runs a quick hash check on all of the executables on your hard drive and then sends them back to Sony. Sony could then use those hash values to see if you have anything installed that they haven't officially signed. Then they can remotely delete that software and reboot your console. They're theoretically unmodding your console remotely.

Cool, thanks for the info.

The problem is that they've done it in such a way that someone malicious could theoretically use that same method to brick any 3.56 PS3 that connects to PSN.

Is this confirmed or are you just assuming it?

<sigh>

We've been over this and you're never going to get it. If Sony say "You must install this update in order for your console to continue working as it did when we sold it to you, and you no longer have the option to reject this arbitrarily changed agreement and return your hardware for a refund" then it's not an entirely free choice. By updating you lose functionality or enable undesirable features. By not updating you lose the ability to access certain features of games that you've paid for in good faith, and the ability to play back media that you've paid for in good faith.

As a consumer, I dislike the precedent this sets. As a consumer, you don't give a toss. That's going to be the way it is. You're perfectly happy with measures being taken that treat you as a potential criminal by default, and I'm not. I think consumers should have certain rights protected regarding things that they've bought for a substantial amount of money. You don't.

We're just going to have to agree to differ on this, because neither of us seems willing to move from their position on the matter. I value keeping certain of my rights (for example, the right not to have functionality that I paid for and used removed from a product without my consent because of something that I neither did nor intended to do with it) over certain conveniences that you value more highly.

Actually when you buy a PS3 you are NOT guaranteed to have PSN. Sony can go ahead and shut down all their PSN servers next month and there is nothing you could do, so by not connecting to it you wouldn't not be depriving yourself of something you were supposed to have, because you are NOT supposed to have it. You have it cause Sony at the moment lets you have it.

Games come with firmware update on the disc, you can still update it and not connect it to the internet. You won't get any code from Sony that way.

Wrong again.

Am I supposed to just take your word for it? Go install the Quake Live app and see how it sends and receives data without asking you anything the next time you visit it.

 

[jcm]

I run Ubuntu on all my computers. I have a winXP partition for gaming with nothing on it really except steam.

Steam and your Subscription(s) require the automatic download and installation of software and other content and updates onto your computer ("Software"). You may not use the Software for any purpose other than the permitted access to Steam and your Subscriptions. You understand that for reasons that include, without limitation, system security, stability, and multiplayer interoperability, Steam may need to automatically update, pre-load, create new versions or otherwise enhance the Software and accordingly, the system requirements to use the Software may change over time. You understand that neither this Agreement nor the terms associated with a particular Subscription entitles you to future updates, new versions or other enhancements of the Software associated with a particular Subscription although Valve may choose to provide such updates, etc. in its sole discretion.

 

[DonMigs85]

To make backups of your DVDs?

Not necessarilly like-for-like backups - maybe just converted files for your various portable devices, for example.
I mean, I'm never planning to install CFW but as long as it's out there they might as well make homebrew that puts the PS3's unique strengths to good use.

 

[pj]

Have you ever met a hacker before?

Step 1 is the only deterrent, and that should happen fairly soon. By the time they finish step one, everything else will be ready to go.

Are you insane? Hacking of PSN "should happen fairly soon"? Do you think they run PSN on a bunch of PS3s? What does any of this recent news have to do with PSN getting compromised? How would everything else be ready to go if they don't know what the code looks like that the PS3 is expecting from PSN? How would they know the internal process through which those updates are made live? How would no one notice that an unauthorized update is being pushed out to consoles?

And here's the thing that totally kills your dumb theory; why would a hacker do all of that instead of stealing the millions of credit cards, names and addresses that are stored on PSN? I mean the hacker would just need to have his PSNcreditcardstealer.exe ready to go when he hacks PSN in the next couple of days.

I have windows automatic updates turned off because a hacker might compromise microsoft and distribute a trojan as an update. MS is pretty close to being compromised so I'm not paranoid or anything.

 

[Grampa Simpson]

I believe you are wrong in this case, I think Sony have changed the private key for PS3 firmware updates as well, so people trying to sign FW updates with the old keys will not be able to install on 3.56.

The new keys are unknown and since Sony has fixed the bug in the signing algorithm, it is unlikely that the hackers will be able to derive them. There may be other exploits in 3.56 that allow CFW but all the current ones seem to have been patched, so if you're on 3.56 OFW, for now you will not be able to install CFW.

But the old keys are still there - they can't revoke them or pre-existing games won't run.

 

[AmericanNinja]

Good. Stop the hackers.

 

[mrklaw]

<sigh>

We've been over this and you're never going to get it. If Sony say "You must install this update in order for your console to continue working as it did when we sold it to you, and you no longer have the option to reject this arbitrarily changed agreement and return your hardware for a refund" then it's not an entirely free choice. By updating you lose functionality or enable undesirable features. By not updating you lose the ability to access certain features of games that you've paid for in good faith, and the ability to play back media that you've paid for in good faith.

As a consumer, I dislike the precedent this sets. As a consumer, you don't give a toss. That's going to be the way it is. You're perfectly happy with measures being taken that treat you as a potential criminal by default, and I'm not. I think consumers should have certain rights protected regarding things that they've bought for a substantial amount of money. You don't.

We're just going to have to agree to differ on this, because neither of us seems willing to move from their position on the matter. I value keeping certain of my rights (for example, the right not to have functionality that I paid for and used removed from a product without my consent because of something that I neither did nor intended to do with it) over certain conveniences that you value more highly.



Wrong again.

hmm. Interesting point. At what point are you accepting revised terms and conditions?

PSN is one issue - each time they update online there are T&Cs to agree to. You disagree, you don't sign in. Fine (shitty but fine).

But what about retail games that come with 3.56 on for instance (hypothetically for now). In theory, they should come with T&Cs that require you to accept the new firmware in order to be able to play that title. So if you disagree, you should be able to return that software for a refund.

but I don't know what that means for the hardware. Is there anything that says the PS3 will play every game that ever comes out in the future? Or is it acceptable that future games require firmware updates for whatever reason?

 

[Raist]

It would be pretty easy to spot something like that.

For your average PS3 user that has no knowledge of this kind of stuff? Especially considering how easy it is to install CFW? I doubt it. Now if oyu're gonna use that as an argument, you could say the same thing to the people who're saying that Sony's 3.56FW opens the door to malicious attacks.

 

[Mithos]

You want on that list? We can tango my rapscalion fiend!

I want on to what list?, If you're talking about the one I just posted, I'm ON that list ;P

Anyways my point was, I trust Sony to "only" check for illegal files/CFW in these tests when signing on or whatnot, and that they won't do any harm to my system doing these tests.

What I don't trust is if a 3rd party (evil doers on the internet so to speak) will try to exploit this ability to check my PS3 when I use my PS3, IF its even possible to do so, time will tell.

Maybe time will show they can't, then wooopie!

And yes I'm already on 3.56, because I wan't to use PSN.

 

[Zoe]

Except, of course, from what's been said this doesn't require you to log in to PSN. And no, that doesn't make it right either, in the same way that websites you connect to aren't allowed to send you arbitrary code to execute when you log in.

According to that chat excerpt from Math, it only happens upon PSN login.

 

[Argyle]

But the old keys are still there - they can't revoke them or pre-existing games won't run.

Yes, but there's nothing stopping them from revoking them for future firmware updates...

(To clarify, I mean the actual firmware update.pup, from 3.56 onward those are going to be signed with a new key. I would expect game executables etc. to also be signed with a new key going forward, possibly one that changes periodically...so you will see a new FW update and new games signed with a new key...then if you are on CFW and you want to play those new games, you will have to wait for the hackers to decrypt the FW update and extract the public key from it...doesn't something like this already happen with PSP? Anyway, of course game executables signed with the old key will continue to work on future firmwares...)

 

[tzare]

DLNA.

i guess without DNS or wrong ones you can still connect your PS3 to your home network and prevent it from going online. or maybe by changing options in your router

 

[DonMigs85]

But the old keys are still there - they can't revoke them or pre-existing games won't run.

The only solution to that would be a billion-dollar plus program of reprinting every PS3 game ever released with the new keys, and offering them as free replacements to existing media with the old keys.

 

[jcm]

<sigh>

We've been over this and you're never going to get it. If Sony say "You must install this update in order for your console to continue working as it did when we sold it to you, and you no longer have the option to reject this arbitrarily changed agreement and return your hardware for a refund" then it's not an entirely free choice. By updating you lose functionality or enable undesirable features. By not updating you lose the ability to access certain features of games that you've paid for in good faith, and the ability to play back media that you've paid for in good faith.

As a consumer, I dislike the precedent this sets. As a consumer, you don't give a toss. That's going to be the way it is. You're perfectly happy with measures being taken that treat you as a potential criminal by default, and I'm not. I think consumers should have certain rights protected regarding things that they've bought for a substantial amount of money. You don't.

We're just going to have to agree to differ on this, because neither of us seems willing to move from their position on the matter. I value keeping certain of my rights (for example, the right not to have functionality that I paid for and used removed from a product without my consent because of something that I neither did nor intended to do with it) over certain conveniences that you value more highly.



Wrong again.

Not that any of us read them, but the original System Software Agreement you accepted had language saying they might do this.

From time to time, SCE may provide certain updates, upgrades or services to your PS3™ system to ensure it is functioning properly in accordance with SCE guidelines. Some services may be provided automatically without notice when you sign onto SCE's online network, and others may be available to you through SCE's website or authorized channels. Without limitation, services may include the provision of the latest update or download of new release that may include security patches, and new or revised settings and features which may prevent access to pirated games, or use of unauthorized hardware or software in connection with the PS3™ system. Some services may change your current settings, cause a loss of data or content, or cause some loss of functionality. It is recommended that you regularly back up any data on the hard disk that is of a type that can be backed up.

Incidentally, Sony makes it very easy to see old versions of the PSN TOS, but they don;t do the same for the system software agreement. They should be posting old versions of both.

 

[kamorra]

Not necessarilly like-for-like backups - maybe just converted files for your various portable devices, for example.
I mean, I'm never planning to install CFW but as long as it's out there they might as well make homebrew that puts the PS3's unique strengths to good use.

Oh, circumventing the copy protection and make copys for various portable devices. I'm sure the movie industry loves that. Why is this more acceptable again? Do you remember?

Yeah, especially after seeing them act so smug and over-entitled. All for the sake of their precious emulators and backup managers (because apparently they're too lazy to get up off the couch and swap discs. I might be more understanding if their BD drives are actually dead).

 

[Dunlop]

What's funny with this line of logic is that Sony have already caused a loss of enjoyment for a product people purchased. You can't have it both ways.

how?

Please don't tell me this is "justified" by the removal of OtherOS

 

[-Amon-]

You know what I find funny?

When this happens, and the console can run signed code sent by Sony, everyone is worried about the supposed security hole.

But when an exploit is found that can run unsigned code made by anyone, no one gives a shit about the real security hole, all it matters then is that it can lead to CFW!!

This.

It clearly shows the lack of logic of the supposed pro consumer camp.

 

[Vagabundo]

but I don't know what that means for the hardware. Is there anything that says the PS3 will play every game that ever comes out in the future? Or is it acceptable that future games require firmware updates for whatever reason?

I'd love if there were some test cases for this kind of thing, esp for gaming consoles. It's pretty crappy to enforce firmware upgrades unless they are necessary to play the thing you want to play.

So I can see a firmware upgrade required for PS Move, but do I need 3.56 if I'm not going to use PSN. Their are zero features in it that enhance my non-PSN experience, yet unless I go with CFW, I'll have to update at some stage if I continue to buy new games.

Hey Linux buddy. I do the same thing.

*fistbump*

Proudly running Linux since 1998 - installed debian over a serial connection via a shared out CD-Rom drive. Took me 4 days to work it out, including custom making my own serial connections.

 

[cyberheater]

The people who are using CFW are not bothered about this as it doesn't affect us (we'll get an offline CFW with this patched out). This affects people on official firmware.

That's a really good point. And it's probably a good thing that from now on you'll only be able to go online with legit FW. I've got no problem with that.

 

[Quixzlizx]

If hackers can use 3.56 to spoof PSN, upload unsigned code to your ps3, and execute it... why couldn't they do this before 3.56? The security hole that allows unsigned code to be executed is already there.

 

[Dibbz]

How are people coming to the conclusion that an outside source is going to use this to take over your PS3? The code is controlled remotely by Sony right? So your PS3 responds to what PSN asks it. How are hackers going to take over your PS3 unless they get control of PSN?

Makes no sense. Some of you guys are going nuts trying to save your precious CFW.

 

[Raist]

If hackers can use 3.56 to spoof PSN, upload unsigned code to your ps3, and execute it... why couldn't they do this before 3.56? The security hole that allows unsigned code to be executed is already there.

Not to mention that you can't install random stuff on OFW (not even 3.55, which is why you need to install CFW first) and that as of 3.56 no one can figure out keys anymore.

 

[Emitan]

That's what they would be doing. It wouldn't matter if they banned account anyway since any game on your harddrive is playable in any account that you select.

Not true. You need the account that bought it on the system. I bought most of my PSN games on one account and then made a new account because I wanted a name change. I can't play my PSN games if I delete my old PSN account off my PS3.

 

[Grampa Simpson]

Cool, thanks for the info.

Is this confirmed or are you just assuming it?

I'm assuming that the IRC log isn't a fabrication. It reads in a fairly valid manner, and leads to some fairly straightforward conclusions.

There are really two things to remember here:

1. If Sony revokes the pre-existing keys that they have, pre-existing software (like games on discs) won't run. Therefore they won't revoke those keys.

2. Any system on the internet is vulnerable.

What they've done here is added a vulnerability to the PS3 - one that a couple of guys on IRC can learn how to use.

I'm hoping that the new vulnerability uses a new private/public key combination to validate any code that it executes.

The theoretical doomsday scenario is that someone finds their way on to a PSN login server, uploads a little executable that bricks PS3s (all you really need to do is throw any old set of bits at the boot flash), and installs a script to use the remote execution functionality.

I'm not saying that it's trivial, but the script and the bricker can be prepared ahead of time, and eventually a sysadmin at Sony is going to slip up and some hacker will be on the inside. That is if one wasn't a year or three ago and left a rootkit.....

 

[lupinko]

Doesn't the 360 have a similar security feature for banning modded consoles?

Yup, it most certainly does.

 

[DonMigs85]

Oh, circumventing the copy protection and make copys for various portable devices. I'm sure the movie industry loves that. Why is this more acceptable again? Do you remember?

It's not like I can rip a PS3 game, shrink it down and run it on my iPod, PSP or DS *trollface*

Spoiler

Don't take that too seriously, lol

 

[Dreams-Visions]

I hate this thread. So much concentrated ignorance in such a short thread.

It's draining to read.

 

[Raist]

Not true. You need the account that bought it on the system. I bought most of my PSN games on one account and then made a new account because I wanted a name change. I can't play my PSN games if I delete my old PSN account off my PS3.

If they ban a PSN account, I doubt this would have any effect on the user account. As long as it stays on the console it's fine, access to PSN or not.

 

[plainr_]

So from my understanding it's:

a) stick with 3.55, enjoy all your CFW needs, emulators, mods, backups, etc...

or

b) update to 3.56, get all your unofficial Sony code deleted by Sony, but gain access to PSN.

For those with CFW, why would you update to 3.56 in the first place? Aren't there hacks out there to bypass firmware requirements for games?

For those with OFW, why would this even matter? Is it really a security risk? In order to get malicious code on your PS3 in the first place is to have CFW, am I right?

Fill me in here.

 

[iapetus]

how?

Please don't tell me this is "justified" by the removal of OtherOS

I'm not saying that (though the courts might). I'm just pointing out that their removal of OtherOS has done exactly the same for some people that you claim CFW does for others.

 

[Beer Monkey]

i guess without DNS or wrong ones you can still connect your PS3 to your home network and prevent it from going online. or maybe by changing options in your router

Oh, believe me, I've already blocked connections to playstation.net in my router's firewall. My PS3 can't talk to Sony no matter how it tries with the current firmware. us.np.stun.playstation.net is the server that the PS3 contacts at boot time.

 

[Grampa Simpson]

*fistbump*

Proudly running Linux since 1998 - installed debian over a serial connection via a shared out CD-Rom drive. Took me 4 days to work it out, including custom making my own serial connections.

1995 - Nothing as awesome as building my own serial cable. Downloaded Slackware floppies - wrote the A series to actual floppies (1.44mb baby!) and installed the other series from a DOS partition on the same disk.

 

[LiquidMetal14]

Oh, believe me, I've already blocked connections to playstation.net in my router's firewall. My PS3 can't talk to Sony no matter how it tries with the current firmware. us.np.stun.playstation.net is the server that the PS3 contacts at boot time.

Not that they couldn't change that with 3.56

 

[Emitan]

If they ban a PSN account, I doubt this would have any effect on the user account. As long as it stays on the console it's fine, access to PSN or not.

I was just arguing semantics a bit. He said you can play any game on your system with any account. This is not true. Would the PSN account that purchased these games be removed by Sony? No. But his statement was not entirely correct.

 

[iapetus]

Not that any of us read them

And not that they have any legal standing inasmuch as they go against consumer rights.

 

[Beer Monkey]

For those with CFW, why would you update to 3.56 in the first place? Aren't there hacks out there to bypass firmware requirements for games?

There will be hacks and new custom firmwares. It's early, that's all.

 

[kamorra]

It's not like I can rip a PS3 game, shrink it down and run it on my iPod, PSP or DS *trollface*

Spoiler

Don't take that too seriously, lol

Ha! With CFW I can play all PS3 games via Remote Play on my PSP.

 

[N.A]

I'm assuming that the IRC log isn't a fabrication. It reads in a fairly valid manner, and leads to some fairly straightforward conclusions.

There are really two things to remember here:

1. If Sony revokes the pre-existing keys that they have, pre-existing software (like games on discs) won't run. Therefore they won't revoke those keys.

2. Any system on the internet is vulnerable.

What they've done here is added a vulnerability to the PS3 - one that a couple of guys on IRC can learn how to use.

I'm hoping that the new vulnerability uses a new private/public key combination to validate any code that it executes.

The theoretical doomsday scenario is that someone finds their way on to a PSN login server, uploads a little executable that bricks PS3s (all you really need to do is throw any old set of bits at the boot flash), and installs a script to use the remote execution functionality.

I'm not saying that it's trivial, but the script and the bricker can be prepared ahead of time, and eventually a sysadmin at Sony is going to slip up and some hacker will be on the inside. That is if one wasn't a year or three ago and left a rootkit.....

Sony don't need to revoke the keys. They just use the new, fixed keys they implemented in 3.56. They then include a value in the file header that identifies itself as using the new keys and the PS3 will decrypt it.

They would then presumably make any code executed remotely have to be signed with these new keys.