If December’s much-publicised gutting of the PlayStation 3’s security systems is proof of anything, it’s this: Where software is concerned, there is no such thing as an unpickable lock, and piracy-prevention strategies that amount solely to locking the door are doomed to failure.
Until a few, short weeks ago, the console was being touted as ‘unhackable’ by some pundits. The vital root keys that allow programmers to ‘rubber stamp’ software for use were tucked away safely in its esoteric processing architecture, access to which is blocked by multiple layers of encryption.
Exaggerated claims invite heavy falls. The crack, detailed by the underground group ‘fail0verflow’ at the Chaos Communications Congress in Berlin, and subsequently employed by celebrity iPhone hacker George Hotz, has delivered those keys into the hands of the internet at large.
The implications for the market cannot be understated. This is an order of magnitude beyond any security compromise experienced during the current generation of console hardware, or even to date.
Sony’s recently revealed legal suit against Hotz, fail0verflow and 100 other unnamed individuals is an appropriately noisy response, making it clear to concerned third-party publishers and pirates alike that such meddling will not go unchallenged. But the damage has already been done.
WHEN THE WALLS FELL
When Hotz ‘jail-broke’ the PS3 in January 2010 “for research purposes”, using a USB stick and a Linux kernel to gain control over one of its security layers, Sony was able to fill in the relevant loopholes via firmware update.
The manufacturer also took the opportunity to disable the console’s ‘Install Other OS’ option, citing its right to alter advertised features of the product in order to shield it from piracy.
No such solutions are possible this time round. In theory, possession of the root keys will allow coders to disguise doctored software – including, naturally, so-called ‘back-ups’ of game files – as the real McCoy when connected to PlayStation Network.
Unless Sony has a separate, undivulged set of security checks, its server-side monitoring systems will be unable to distinguish between legitimate and illegitimate code.
Custom firmwares have already been developed and released by other hacker groups, paving the way both for homebrew software and what in all probability will be an avalanche of pirated games.
According to Digital Foundry, Sony may have no choice but to modify the root keys themselves, thereby invalidating all software designed to run on the hardware, and compile a mammoth “white list” of accepted existing games.
The release of the keys – made possible by the manufacturer’s somewhat baffling decision to employ a single, fixed number during encryption procedures which the fail0verflow team were able to reverse-calculate – is grounds for a major review of security strategy.
PIRATES OR PIONEERS?
More importantly, though, the PS3 crack should be considered a clarion call for Sony and its fellow publishers to pursue other, more constructive means of discouraging any tampering with their software.
This involves distinguishing card-carrying hackers like Hotz from software pirates. There is overlap between the two groups of course, but where piracy can be treated as a market phenomenon, reduced to the play of profit motives, hacking is to some degree a question of ideology – a mindset.
Perhaps the key criterion of that mindset is a delight in exerting intellectual muscle, in pushing boundaries for the sake of it.
According to Free Software Foundation president and hacker godfather Richard Stallman, the process is one of “exploring the limits of what is possible, in a spirit of playful cleverness”.
Such “playful cleverness” typically feeds into a rarefied brand of techno-liberalism, stemming from much older writings on free speech.
Hackers believe that they and other consumers should be able to modify and redistribute any code they buy.
This, of course, flies in the face of the now deeply entrenched legal concept of proprietary software, under which consumers procure a licence to use a product in certain ways, rather than ownership of the product itself.
Hackers thus frequently cast themselves in the role of digital freedom fighters, thwarting what they perceive to be big business denying paying consumers full use of their purchases.
Which brings us back to fail0verflow and Hotz. Besides distancing themselves from piracy, both parties have insisted that they took action in response to what fail0verflow terms Sony’s “illegal” termination of Other OS and with it the platform’s nascent homebrew coding scene.
In the manufacturer’s defence, the furore over the removal of Other OS can be attributed in part to unavoidable bad timing.
Shortly before Hotz unveiled his original hack, Sony had decided not to include Other OS on PS3 Slim as a cost-cutting measure, assuring concerned Linux hobbyists that it would not retrospectively cut the feature from older PS3 models.
When security anxieties forced Sony’s hand, the company was accused of betrayal.
A NEW STRATEGY
Nonetheless, there’s a practical lesson to be learnt here – other than that events sometimes take on a life of their own.
The loss of Other OS deprived a small but potent, tech-savvy portion of Sony’s customer base of an avenue for expression. These customers have put pressure on the manufacturer in the only way they can – and the long-term cost may outweigh whatever Sony has recouped by trimming down the PS3’s feature set.
If companies wish to address the problem of piracy in any lasting fashion, they must combine carrot and stick incentives; clamping on restraints where necessary, but loosening the screws enough to give experimental souls room to breathe.
Piracy is unlikely to ever disappear. There will always be hackers for whom no freedoms are free enough. But alienating the elite coders who pirates rely on won’t help. Sony can dream up all the locks they want – the real challenge is persuading people not to pick them.
Edwin Evans-Thirwell is the network editor for Kikizo