The blog of content protection

For years Sony’s Playstation resisted to hackers. One potential explanation was that when authorizing homebrew applications to execute on PS, Sony removed as attacker the complete homebrew community (which is a large chunk of the reverse engineering community). This is not anymore true.

Since 19 august, the PSjailbreak is available. This USB stick allows to execute duplicate of games. It is a kind of R4 but for PS3. It works for PS3 and PS3 slim. The price is rather high (at least in France around 130€ or $160). Every reports claim that it works.

Sony already claimed that through their network PSN they can detect the presence of the JailBreak and then retaliate. I did not yet find a post that confirmed a counterstrike by Sony on PSN. The current version of PS3Jailbreak does not propose any upgrade feature, thus it may be a weakness.

The funny part of the story is that pirates may soon be pirated. The reverse engineering of the PSJailBreak already started. The hack is based on a standard PIC microcontroller PIC18F. It seems that the code has already been successfully dumped. Some sites are already proposing clones such as PS3stinger, PS3key, X3JailBreak… Clearly, the distributor foresaw this because the site clearly warns about imitators and created a logo for authorized dealers.

Once more, our law #1 “attackers will always find their way” was verified. It took just longer than for the other game consoles. Now, let’s wait the reaction of Sony.

This week end, my family purchased a DVD. When viewing it, what a surprise!! The usual scaring/threatening video sequence which explains that downloading movies fromP2P is bad was absent. It was replaced by a new message telling something like “By purchasing this DVD, you are supporting the jobs for the UK movie industry”. And at the end of the video sequence, a huge/heavy “THANK YOU” falls noisily onto the screen. Very Monty Python like (It is probably because it was a UK movie )

This change is interesting. One of the rules I learnt in Communications was to always favor the positive formrather than the negative one. A positive message goes better through. You should use the negative form if you want to create fear (Lovecraft was very good at that. Sorry I’m digressing).

Will it have an impact on piracy? Probably not. Nevertheless, it may help to restore a little bit the reputation of content owners. This is also part of the battle.

I don’t know if this will be generalized on everyDVD. I think it would be a good idea.

In a paper presented at the 6th Symposium on Usable Privacy and Security, DINEI Florencio and CORMAC Herley, Microsoft Research, examined the policy ruling the passwords of 75 Internet sites. The type of websites ranged from very popular sites/services such as Facebook or Paypal to more confidential ones such as governmental agencies.

They evaluated the strength of the enforced policy withthe equation N.log2(C) where N is the minimum size of the password and C is the cardinality of the allowed character set. Obviously, this equation is not a perfect evaluation of the constraints because it does not take into account constraints such as mandatory use of digits or special characters. Nevertheless, the result is simple (and perhaps not too surprising)

The size of the site, the number of user accounts, the value of the resources protected, and the frequency of non-strength related attacks all correlate very poorly with the strength required by the site.

In other words, the sites with the most constraining policies are not necessarily the sites which are at most at risks. For instance, Gmail or Paypal do not have strong constraints. Most often, the sites with most constraining policies do have no incentives to have numerous visits or have a captive “audience”. The constraints were more driven by the need to attract visitors than by security itself.

It is the usual trade-off between security and usability. Facebook that is paid by advertising needs frequent visitors. A too complex password policy may rebuke many users and thus make the site less attractive.

The authors advocate that there is most probably no need of strong password policy because strategy to defeat online brute force attack should be deterrent enough. They cite Twitter that recently banned the 370 most common passwords. According to them, strong passwords are most probably only useful in case of an access to the hashed password files. (Remember the use use of rainbow tables)

Their view on the trade-off between usability and security is interesting.

When the voices that advocate for usaability are absent or weak, security measures become needlessly restrictive.

I let you savor this statement. Any reactions?

The paper is available here.

BitTorrent has just launched a new add-on to the P2P client µTorrent (or utorrent): Torrent tweet . The name of the apps is self explanatory. It is a new way to share or chat about a given torrent. The central server, using the hash tage of the torrent, adds a unique tinyurl in the tweet. Thus, it is extremely easy to point to a torrent.

We may be skeptical about its wide usage. File sharing is often done under cover. And anonymity is probably not the salient characteristic about Twitter. Nevertheless, the use is starting and spreading. Some doubts? Choose the last movie you’ve seen at theater. Search for its torrent on Twitter, for instance “Salt + Torrent”. You’ll be surprised by the result.

BitTorrent has created a new convenient way to share torrents When will we see cease and desist notice through twitter?

Two weeks ago, two vulnerabilities were disclosed on iPad, iTouch, and iPhones. In a nutshell:

• A buffer overflow in FreeType allowed arbitrary code execution from specially crafted pdf files
• An integer overflow in IOsource allows gaining system privilege

Combining both exploits, it is possible to take control of the devices. A site JailBreakMe.com used it to easily jailbreak iPhones and iPads. Jailbreaking allows to use a different network operator than the one locked by the manufacturer, in the case of Apple ATT Interestingly, since end of July, jailbreaking is legal in the US.

Apple has just issued new versions that correct these flaws: iOS 3.2.2 for iPads and iOS 4.0.2 for iPhones. It is a good thing because these vulnerabilities could be used for more than jailbreaking (although Apple may not have the same appreciation on jailbreaking)