Geohot said:
To start, I sure am glad I don’t have a PSN account about now. And, as a onetime victim of identity theft, I feel for everyone who’s data has been stolen. I’m not going to make cracks at Sony for flipping a shit when /their/ data is compromised, and not even having the decency to apologize when it’s your data that’s misappropriated.
And to anyone who thinks I was involved in any way with this, I’m not crazy, and would prefer to not have the FBI knocking on my door. Running homebrew and exploring security on your devices is cool, hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony.
One of the things I was contemplating back in early January was a PSN alternative, a place for jailbroken consoles to download homebrew and game without messing up anyone else’s experience. Unfortunately events led me off of that path, but gamers, if I had succeeded you would have a place to game online with your PS3 right now. I’m one of the good guys. I used to play games online on PC, I hated cheaters then and I hate them now.
Also, let’s not fault the Sony engineers for this, the same way I do not fault the engineers who designed the BMG rootkit. The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.
Now until more information is revealed on the technicals, I can only speculate, but I bet Sony’s arrogance and misunderstanding of ownership put them in this position. Sony execs probably haughtily chuckled at the idea of threat modeling. Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client(can’t trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server? This arrogance undermines a basic security principle, never trust the client. It’s the same reason MW2 was covered in cheaters, Activision even admitted to the mistake of trusting Sony’s client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you. Notice it’s only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren’t crazy.
And let’s talk about Sony’s use of the word illegal. It is illegal, criminally so, to break into someone else’s servers. But when the same word is used to refer to streaming a song from a non RIAA approved website, or to *gasp* playing a homebrew game on your PS3, respect for the word and those who say it is lost.
Weighing in quickly on the whole hacker vs cracker thing. I am a hacker. Whoever did this were hackers also. The media will never start using the word cracker. To me, a hacker is just somebody with a set of skills; hacker is to computer as plumber is to pipes. And the same ethics should apply, if you want to mess with the pipes in your own house, go for it. But don’t go breaking into people’s houses and messing with their pipes. (Note that I do not endorse water piracy)
To the perpetrator, two things. You are clearly talented and will have plenty of money(or a jail sentence and bankruptcy) coming to you in the future. Don’t be a dick and sell people’s information. And I’d love to see a write up on how it all went down…lord knows we’ll never get that from Sony, noobs probably had the password set to ‘4’ or something. I mean, at least it was randomly generated.