PlayStation 3 hacker George “Geohot” Hotz has offered his own take on Sony’s loss of 77 million customers’ personal information, saying that it is those that make the decisions – not those who design the security – who are at fault.
Hotz kicked off what has been an often miserable 2011 for Sony by publishing the PlayStation 3’s root key with which all authorised software is signed, allowing for homebrew and pirated games to be played on the console.
Sony fought back with a lawsuit, resulting in a protracted legal battle that was eventually settled earlier this month. While Hotz has been ordered not to hack any more Sony products, he is free to speak his mind, and he paints a picture of arrogant executives who cut corners on PS3 security because they believed the system could never be hacked.
“Let’s not fault the Sony engineers for this,” Hotz writes on his blog, “[in] the same way I do not fault the engineers who designed the BMG rootkit. The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.
“Now until more information is revealed on the technicals, I can only speculate, but I bet Sony’s arrogance and misunderstanding of ownership put them in this position,” he continues. “Sony execs probably haughtily chuckled at the idea of threat modelling. Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client, everything is good.
“Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server? This arrogance undermines a basic security principle: never trust the client. Notice it's only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not Gmail when Android was rooted. Because other companies aren't crazy.”
Sony is working with law enforcement and security firms in a bid to ascertain who was behind the hack, and Hotz would like a word with him, too, albeit for different reasons. “To the perpetrator, two things,” he writes. “You are clearly talented and will have plenty of money (or a jail sentence and bankruptcy) coming to you in the future. Don’t be a dick and sell people’s information. And I’d love to see a write-up on how it all went down...lord knows we’ll never get that from Sony.”
Source: Geohot