It is the turn of PS3

Posted on August 27, 2010 by wunderbarb

For years Sony’s Playstation resisted to hackers. One potential explanation was that when authorizing homebrew applications to execute on PS, Sony removed as attacker the complete homebrew community (which is a large chunk of the reverse engineering community). This is not anymore true.

Since 19 august, the PSjailbreak is available. This USB stick allows to execute duplicate of games. It is a kind of R4 but for PS3. It works for PS3 and PS3 slim. The price is rather high (at least in France around 130€ or $160). Every reports claim that it works.

Sony already claimed that through their network PSN they can detect the presence of the JailBreak and then retaliate. I did not yet find a post that confirmed a counterstrike by Sony on PSN. The current version of PS3Jailbreak does not propose any upgrade feature, thus it may be a weakness.

The funny part of the story is that pirates may soon be pirated. The reverse engineering of the PSJailBreak already started. The hack is based on a standard PIC microcontroller PIC18F. It seems that the code has already been successfully dumped. Some sites are already proposing clones such as PS3stinger, PS3key, X3JailBreak… Clearly, the distributor foresaw this because the site clearly warns about imitators and created a logo for authorized dealers.

Once more, our law #1 “attackers will always find their way” was verified. It took just longer than for the other game consoles. Now, let’s wait the reaction of Sony.

Positive mood

Posted on August 23, 2010 by wunderbarb

This week end, my family purchased a DVD. When viewing it, what a surprise!! The usual scaring/threatening video sequence which explains that downloading movies fromP2P is bad was absent. It was replaced by a new message telling something like “By purchasing this DVD, you are supporting the jobs for the UK movie industry”. And at the end of the video sequence, a huge/heavy “THANK YOU” falls noisily onto the screen. Very Monty Python like (It is probably because it was a UK movie :Happy: )

This change is interesting. One of the rules I learnt in Communications was to always favor the positive formrather than the negative one. A positive message goes better through. You should use the negative form if you want to create fear (Lovecraft was very good at that. Sorry I’m digressing).

Will it have an impact on piracy? Probably not. Nevertheless, it may help to restore a little bit the reputation of content owners. This is also part of the battle.

I don’t know if this will be generalized on everyDVD. I think it would be a good idea.

Where Do Security Policies Come From?

Posted on August 18, 2010 by wunderbarb

In a paper presented at the 6th Symposium on Usable Privacy and Security, DINEI Florencio and CORMAC Herley, Microsoft Research, examined the policy ruling the passwords of 75 Internet sites. The type of websites ranged from very popular sites/services such as Facebook or Paypal to more confidential ones such as governmental agencies.

They evaluated the strength of the enforced policy with the equation N.log2(C) where N is the minimum size of the password and C is the cardinality of the allowed character set. Obviously, this equation is not a perfect evaluation of the constraints because it does not take into account constraints such as mandatory use of digits or special characters. Nevertheless, the result is simple (and perhaps not too surprising)

The size of the site, the number of user accounts, the value of the resources protected, and the frequency of non-strength related attacks all correlate very poorly with the strength required by the site.

In other words, the sites with the most constraining policies are not necessarily the sites which are at most at risks. For instance, Gmail or Paypal do not have strong constraints. Most often, the sites with most constraining policies do have no incentives to have numerous visits or have a captive “audience”. The constraints were more driven by the need to attract visitors than by security itself.

It is the usual trade-off between security and usability. Facebook that is paid by advertising needs frequent visitors. A too complex password policy may rebuke many users and thus make the site less attractive.

The authors advocate that there is most probably no need of strong password policy because strategy to defeat online brute force attack should be deterrent enough. They cite Twitter that recently banned the 370 most common passwords. According to them, strong passwords are most probably only useful in case of an access to the hashed password files. (Remember the use use of rainbow tables)

Their view on the trade-off between usability and security is interesting.

When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.

I let you savor this statement. Any reactions?

The paper is available here.

Torrent Tweet

Posted on August 13, 2010 by wunderbarb

BitTorrent has just launched a new add-on to the P2P client µTorrent (or utorrent): Torrent tweet . The name of the apps is self explanatory. It is a new way to share or chat about a given torrent. The central server, using the hash tage of the torrent, adds a unique tinyurl in the tweet. Thus, it is extremely easy to point to a torrent.

We may be skeptical about its wide usage. File sharing is often done under cover. And anonymity is probably not the salient characteristic about Twitter. Nevertheless, the use is starting and spreading. Some doubts? Choose the last movie you’ve seen at theater. Search for its torrent on Twitter, for instance “Salt + Torrent”. You’ll be surprised by the result.

BitTorrent has created a new convenient way to share torrents :Happy: When will we see cease and desist notice through twitter?

The JailBreaking race

Posted on August 12, 2010 by wunderbarb

Two weeks ago, two vulnerabilities were disclosed on iPad, iTouch, and iPhones. In a nutshell:

A buffer overflow in FreeType allowed arbitrary code execution from specially crafted pdf files
An integer overflow in IOsource allows gaining system privilege

Combining both exploits, it is possible to take control of the devices. A site JailBreakMe.com used it to easily jailbreak iPhones and iPads. Jailbreaking allows to use a different network operator than the one locked by the manufacturer, in the case of Apple ATT Interestingly, since end of July, jailbreaking is legal in the US.

Apple has just issued new versions that correct these flaws: iOS 3.2.2 for iPads and iOS 4.0.2 for iPhones. It is a good thing because these vulnerabilities could be used for more than jailbreaking (although Apple may not have the same appreciation on jailbreaking)

UltraViolet

Posted on August 11, 2010 by wunderbarb

End of July, DECE made a new move: the creation of a trademark name that should identify the interoperable products defined by DECE. The trademark is UltraViolet.

Since several years, a large consortium of companies known as DECE defines the specifications of an interoperable solution for content delivery based using the concept of digital rights locker. With UltraViolet, DECE starts to educate consumers.

Is UltraViolet already in the shop? No. Will it be soon? I don’t know, but I will let you make your guess with this quote from the official site about the roadmap.

Ambitious undertakings like UltraViolet take time to be fully deployed in the global market. Keep an eye out as key components are introduced on the ”Road to UltraViolet”

The previous site http://www.decellc.com/ points now directly to the new address of UltraViolet

If you want to learn more about Digital Rights Locker, meet me and Arnaud Robert (Disney) at ACM DRM workshop where we will present a paper describing the basics of rights locker.

I publish, I think

Posted on August 10, 2010 by wunderbarb

Je publie, je réfléchis (I publish, I think) is the name of a French Internet site which aims at sensitizing people (mainly young audience) on the risks of publishing things on the Net. It is designed by the CNIL (French authority for IT and liberty)

It provides ten good recommendations before publishing, such as:

Ask yourself if you would do the same in “real” life
read the terms and conditions of social web sites. This is probably the less realistic one. It is a tough job. Did you do it yourself when for instance joining LinkedIn? I confess that I did not
Don’t publish contents that may harm the reputation of somebody else
Use a pseudo that you communicate only to your close friends…

Interestingly, the site is linked to a serious game that describes a realistic scenario and gives some hints to avoid the problems. If you have youngsters, send them to this site.

Unfortunately, the site is only in French. Does somebody know an equivalent site in English?

Thanks to OH to have pointed me to the site.

Updated on 3 Dec 14: The site is not anymore online

The blog of content protection

A site managed by Eric Diehl