Saturday, April 3, 2010

Sony, Security, and Consumer's Rights

Many of you saw my recent tweets complaining about the Sony PlayStation 3 firmware update version 3.21 that cripples the second operating system "OtherOS" feature of the PS3. Since then, I've received several questions as to why I thought Sony would remove such a feature, and why I cared so much.

The answers to both questions require more than 140 characters. Here, I will try to explain.

The PlayStation 3 as a Computing Platform

Briefly, the PS3 is an amazing computing platform. It boasts a 7-core 3.2GHz IBM PowerPC cell processor architecture unlike pretty much anything available at even twice the price. It works with USB and Bluetooth Wireless input devices (mouse, keyboard, gamepads, &etc), has HDMI, Composite, and Component video outputs, digital audio output, an internal SATA hard drive, 802.11b/g wireless, and a Blu-ray DVD-ROM drive.

Sony has, from the start, marketed the fact that this amazing "game console" also supports the ability to run Linux for those power-users who wanted to also use it as a computing platform. This included feature is known as "OtherOS" support.
[Reference: http://www.playstation.com/ps3-openplatform/index.html ]

FWIW, this feature was a deciding factor in my choice of the Sony PlayStation 3 as a game / media / computing platform when I purchased it.

The DRM Arms Race

Without writing yet another long blog about DRM, let me just state a couple of canons about Intellectual Property that I believe to be true:

I: Companies that own intellectual property rights have the right to protect themselves from illegitimate copying, use, or distribution of said intellectual property.

I want to state this up front, because I believe it's important. Far from the "Information Wants To Be Free!" rally cry of the pirates, I understand and acknowledge that media and entertainment production is a business. And those businesses have the right to not have their products stolen from them.

II. All technological measures to prevent unauthorized reproduction or distribution of media will ultimately fail.

We all need to acknowledge this as well. Every software copy protection scheme, every cable transmission encryption scheme, every satellite distribution set-top-box authorization scheme, every music anti-ripping scheme has eventually been broken by those who want to copy the media.

It has happened, it will continue to happen. You cannot present media to a person and yet prevent that person from ultimately being able to reproduce it without your authorization. That is a certainty - almost a law of information, if you will.

So, with these two points acknowledged, all DRM and anti-copying measures come down to this:

What can be done to make illegitimate copying or distribution of media more difficult, without infringing on the legitimate use by the consumer?

That question, my friends, is what the entire DRM side of the media industry does for a living.

The second half of that question is the line that Sony just crossed with the PS3.

Geohot and the PlayStation 3 Hack

A very talented, well known hacker named George Hotz, or "geohot", discovered some bugs in the hardware / firmware implementation of the PS3. These bugs allowed him to write an exploit that provided access to parts of the PS3 hardware that Sony had previously restricted from the OtherOS support. In short, this put the security measures that Sony had implemented to protect their platform and its copy protection schemes at risk.

Geohot's hack is not a way to copy games or movies. It is, however, a way to start tinkering with the protected parts of the system that prevent you from doing so. His hack has a number of beneficial features too, like providing a higher level of customization to power users. Or the ability to include more of the hardware features in custom developed applications for the PS3 OtherOS platform.

A parallel between geohot's PS3 hack and his iPhone hack that made "jailbreaking" possible has been drawn, and for a good reason. They are very similar hacks. They both "open up" a restricted platform so that the consumer has more abilities than the corporation that created it intended.

If you're interested, you can read more on geohot's PS3 blog: http://geohotps3.blogspot.com/

Sony's Reaction to Geohot's Hack

Sony's reaction to Geohot's hack was swift and fascist in nature.

1. Sony has removed ALL "OtherOS" support from ALL Playstation 3 devices as of the mandatory firmware update 3.21 on April 1st, 2010.


2. If a PlayStation 3 owner chooses not to install update 3.21:



a. Access to the PlayStation 3 Network is disabled
b. Access to online features of purchased games are disabled.
c. Blu-ray movie playback is disabled.
d. Many newer (purchsed) games are disabled.

[Reference: http://blog.us.playstation.com/2010/03/28/ps3-firmware-v3-21-update/ ]

So Sony is giving its users a choice. Give up OtherOS support, or give up pretty much all the other uses of the PlayStation 3.  Whether or not you think what George Hotz did by finding and exploiting the PS3 vulnerabilities was right or wrong, I assert one thing:

Sony's reaction to geohot's hack is wrong.



They have removed a major feature that was a selling point of the product as a knee-jerk reaction to something that was not only predictable, but inevitable. This "We're going to take our ball and go home" attitude towards their customers is deplorable.

I ask you, Sony, if you want to retain a modicum of respect from the technical community, please reconsider.  Reinstate OtherOS support on the PlayStation 3.

It's just the Right Thing To Do(tm).

- Kenneth "K.C." Budd, CISSP

5 comments:

  1. I like your points very intuitive as always. I would ask the following questions though.

    It seems your statement is predicated with the assumption that PS3 OS 3.21 was the imminent point of removing the "Other OS" functionality.

    What if I brought the following facts to your attention:

    1. The PS3 slim never had the ability to install "Other OS" since its inception.
    2. The PS3 slim was released well before the hack the Geo came up with, roughly Aug of last year for the US market.

    So now my questions is this... was it removed because of GEO's hack and fear of DRM failure and other proprietary secrets becoming available thru an "Other OS" vector, or was it for some other reason unknown to us...maybe the masses just didn't really use that option, and to keep it means to support it.

    Just another POV...thoughts?

    ReplyDelete
  2. Thanks, and interesting counterpoint.

    I am aware that the PS3 Slim doesn't include the OtherOS feature. In my mind, though, that doesn't give Sony cause to remove key features from the previous versions of the product.

    If I bought a Ford with a turbocharger, and later they released a normally aspirated version of the same vehicle, I wouldn't take too kindly to them deciding to remove my turbo during routine maintenance for "supportability reasons."

    As for Sony's motive; True, only they know the reasons why they decided to cripple my PS3.

    On the official Sony blog about the update (linked in my blog post) it states:

    "The next system software update for the PlayStation 3 (PS3) system will be released on April 1, 2010 (JST), and will disable the “Install Other OS” feature that was available on the PS3 systems prior to the current slimmer models, launched in September 2009. This feature enabled users to install an operating system, but due to security concerns, Sony Computer Entertainment will remove the functionality through the 3.21 system software update."

    ReplyDelete
  3. I am a PS3 developer and have been watching this on the internal developer-only forums.

    Sony really didn't want to remove OtherOS - they've always been very hobbyist-friendly, with Net.Yaroze and PS2 Linux and so on - but they also didn't want to get into a different sort of arms race with PSN exploits (cheats, illegitimate trophy awards, etc.). Look at what happened on XBox Live when cheats became possible; now you can potentially be banned from XBox Live just because you bought a used console which someone, at one time, used an unlicensed memory card on.

    It was a very difficult decision, and it's unfortunate that the public explanation has been mishandled, which is unfortunately par for the course with Sony these days.

    ReplyDelete
  4. Just glad to see an update dude. Was Worried About Ya! ;-)

    -Marc

    ReplyDelete
  5. A point I would like to reinstate from the blog entry is that this is all inevitable.

    Whenever there are exploits found, the company fixes/disables things in order to solve the problem (in their best interest). Someone out there will just come up with something to evade that too - like spoofing the update on the PS3.

    It is a never-ending circle of exploits, fixes, and outrage, and someone will always complain no matter what is done.

    ReplyDelete