$ telnet geohot.com 80
HEAD / HTTP/1.1
Host: geohot.com
User-Agent: Dear Sony, I heard you would be reading this log. Because of the way you treat researchers like GeoHot, and your own customers, I will never buy a Sony product again.
It's too bad, too. They took a huge risk with Cell, and it's finally paid off. This kind of behaviour is simply inexcusable, however. I have a ps3, but I don't want to buy new games for it. Not really sure what to do.
I'm not familiar with the risks involved with Cell technology; I've been more indoctrinated to think that parallel processing is really the only way forward right now. Would you (or someone) be willing to elaborate on your stance?
Cell was notoriously expensive and hard to program for (at least, in comparison to the competitors). This has mostly been solved now though and afaik Cell is now, finally, paying off. The quirky architecture Cell is built around was a big risk for them.
When you buy a used product, you're still upping the value of the product. Knowing you can sell something after using it raises its value. Additionally, you're likely funding the seller's purchase of another product, likely from the same company.
Reading this article was really crazy. Sony has also subpoenaed YouTube for information on anyone who watched the video he posted and it was approved. The rationale is that they're trying to sue in California and this will help better prove distribution there. It does not say what Sony intends to do with the information otherwise which is kind of scary.
"What is next? Telling every kid not to open 'a system' to figure out how things worked?
Or may be lets ban engineers to be engineers?"
Sears catalogs and manuals used to have exploded-view diagrams so that consumers could determine how to repair broken products (and so that they could select the proper part to order from Sears). We need to return to that world.
I sincerely hope that we will see a backlash against corporate control of consumer goods.
The more we know about what we own, the more we can learn, the more we can modify things suit our needs, and the more we can reclaim. Fixing something means it won't enter the waste stream. The sort of individualism that hackers embrace imparts a strong sense of ownership over possessions (and code). Think Ikea. Part of the appeal is the pleasure and sense of ownership that come from assembling furniture yourself. Why should electronics be any different?
I have a project in the works to help spread knowledge about the inner workings of things:
Sony is acting like a company trying to maximize profits, it's our government that's tasked with defending 'the people'. If the government is the enabler, why not protest them?
Your government isn't just tasked with defending the people, but also with acting on their behalf; given this, the persons that form the corporate entity Sony are not absolved of personal responsibility and subject to criticism.
The government may be allowing them to do this, but it isn't making them do it.
Sony can bitch all they want, it doesn't matter to Geohot until the government gets involved. Now we're playing for keeps. dreamhost isn't complying with Sony, they're complying with a US court order.
I can't find the link right now - but a guy did a study and found the most efficient way of demonstrating against a listed company was mass-shorting of stocks by protesters. I think he targeted Coke. I wish I could find the link.
I would imagine that a large portion of visits to GeoHot's website was due to the publicity of Sony's legal case. If Sony is trying to provably demonstrate “defendant’s distribution”, shouldn't there be a distinction based on the intent of access?
E.g. IP hits from Google's bots out of Mountain View should not count as "those who downloaded Hotz’ hack reside in Northern California".
Maybe they'll put a list of repeated identities in their next rootkit they ship with their laptops and when it detects someone associated with an identity it will signal the battery to explode...
Ironically, they'll be guilty of the crime "battery".
Anyway, I think we all wish companies would take their revenge in the form of actual violence so that they would actually get in trouble, but they are smarter than that. Emotional pain hurts more than physical pain.
(Based on what they've currently said, which I wouldn't trust, personally)
They aren't looking for identifying information. They are looking for ___location information to prove that San Francisco is an appropriate venu. IP addresses will give them pretty strong ___location evidence, regardless of who was behind that IP.
How useful would that list even be, after all the attention this has gotten wont that IP list be absurdly long? Maybe there trying to use it to form conspiracies by association.
Well my IP is there. I don't own any Sony products, was considering a PS3 (since the price is right), and I almost never mod those kind of devices, but out of principal I don't think I could justify getting one now.
I have a fantasy of every botnet in the world visiting his site DDoS style, but without the DoS part, padding the list to be miles long of printed court evidence.
GeoHot's blog, geohotgotsued.blogspot.com, specifically mentions that his hack got very little attention outside of the standard homebrew hacker scene up until the point he was sued and every tech blog and publication linked to him. These actions are just absurd. GeoHot even states that he has come across means to restore the cryptography on the device, which could effectively shut out piracy. I doubt he'd ever hand it over though. There's no reason to be nice to the guy who's kicking you in the crotch.
Really they should have hired him to work on console security, as well as officially allowing the system to be modded to allow home brew, take away the incentive for the homebrew people to further enabled piracy and get it seems the best person to defend their console against piracy in the future.
"If you read the legal ruling, it's very clear that this judge's ruling is being done so that any information found is designated as Attorneys Eyes Only, meaning that it is restricted to anything relevant to the case (and specific matter being challenged) at hand is disclosed, and anything else summarily forgotten. Hell, the document makes clear that this information is for jurisdictional discovery only, which determines whether or not Geohot can be tried in California."
"Relevant case law allows Sony to subpoena records to determine jurisdiction. They can subpoena Geohot's host because it's pertinent to whether or not his hack had an impact in California, and that the distribution of the key took place. They're allowed to subpoena his tweets to see how many people in California read them. The same goes for the other handful of companies they've subpoenaed."
This won't stop me from boycotting Sony from now on, though. I was actually planning to buy a PS3 to play blu-rays and maybe start playing video games again. No more.
Civil Procedure FTW! Or the loss. I'm not surprised the judge allowed this, it is necessary to prove Sony was correct in filing in CA because the state has jurisdiction over GeoHot. I would be surprised if they granted personal jurisdiction over a kid in NJ.
I'm sure they don't care about people who just loaded up the home page. They are more than likely after the IPs that downloaded the files that are posted on the site (maybe they will try to tie them back to IPs used to acces PSN?)
I can't figure out based on what grounds the judge granted access on the IP logs. Also, what sony could do with the ip addresses?. Nothing, they are just trying to force people away from any websites with such information. The user base of the PS3 are underage teens, vulnerable to such scare tactics ....
I don't see how anybody trusts a VPN or proxy any more than their own ISP. It seems to me that using a privacy-focused VPN (1) makes you stand out more to anyone looking to bring down the proverbial hammer of justice, and (2) puts all of your access history in the hands of a potentially-hostile third party (the VPN/proxy provider, who could just as easily be subpoenaed, or even be run by an intelligence agency, like Tor).
My understanding is that it is not actually easy to subpoena records from all the VPNs cloaking traffic to a specific site. In fact there could be a significant cost attached to doing that. So while it might make you look guilty in some situations, it can protect your innocent behaviour from being snooped until you do something to justify appropriate suspicion.
As stated
---
The approved subpoena requires the company to turn over “documents reproducing all server logs, IP address logs, account information, account access records and application or registration forms” tied to Hotz’s hosting.
---
I'm pretty sure they would need to apply for another subpoena in order to uncover any IPs coming from a VPN. Now this could be done if it was warranted, but most of the time I doubt it would be pursued and it might even be hard to prove it was warranted for each VPN?
Now just for fun, let's say you're tunneled to a VPN that's tunneled to another VPN, to another, etc. While you could still be chased down, it probably not practical in most situations like this. I wonder if one company could provide a service that uses multiple routings like this through different registered entities requiring the authorities to request records for each of the different entities in order to track down just one account. Then implement this on a large scale...
I don't know how much traffic their infrastructure is up to serving, but Iceland is supposed to be good in that regard. When the US tried to subpoena the Twitter account records of an Icelandic MP, the US Ambassador to Iceland was called in to explain TF the US thought it was doing. (Twitter was also able to quash the subpoena on appeal, and as it was regarding an Icelandic citizen, it's not directly on point.)
All that aside, it was my understanding that they wanted to remake their Internet image as a privacy haven of sorts -- the kind of place someone like Assange/WikiLeaks could safely host their service. I'm having a spot of trouble finding relevant primary sources; can anyone else help point me in the right direction?
(Following up to myself, since the edit link has expired.)
After some more digging, I found a few relevant links, the most direct of which is [1]. A number of other articles re-hashed the same points described there, but I did find a few like [2], which also describe Iceland's connectivity -- it's far better than I'd thought. As of a year ago, they had on the order of 8 tbps in undersea cables, stable ping times of around 100ms to the US (and, presumably to the EU, if not better), 100% geothermal power, and a climate that would enable passively cooled data centers.
I couldn't find anything directly relevant to whether access logs would be subpoena-able, but the reading I get from what I did find is that their focus is more on being a transparency haven than a privacy such. Whistleblowers, journalists, and their sources are clearly very well protected by the IMMI (which appears to have passed unanimously). It's also, however, explicitly stated that the new law won't change anything in the current law WRT child pornography and copyright infringement, usually the big bugaboos of the "we need to control the interwebs" crowd. (Not to say those aren't problems; they just aren't the problems they're usually made out to be.)
So, net, I'm not sure Iceland's the answer to these kinds of shenanigans, but it's clearly a step in the right direction.
What Sony's trying to do is locate jurisdiction in the ___location where the data ends up. So, it would be irrelevant as to where it came from. You could host in Iran and they would still attempt to show it being under a CA court.
I think kmfrk is trying to ask if there are any countries where you would likely be safe from a judge turning over your users' data to Sony just to see if any of them were in California.
Sony always gets what it wants. While they're not fundamentally wrong, since it's their product, they're playing whack the mole with a large hacker community. This can't end well.
I'll admit that I haven't followed the story that closely, but from my understanding, he hacked his PS3 and posted what he found, right? Wouldn't we, as a reasonably logical technical community, see that as his system and he would be free to do with it what he wants (the hack, probably not the post)? Perhaps posting it is where they have a case (INAL), but I can't see any justification for going after him for merely hacking/poking around his PS3 hardware and software.
I started to see this pop up in some posts recently:
* apple's hardware...they have the right to do what they want
* sony's hardware...they have the right to do what they want
I don't exactly know when this started but I think it's worth correcting and trying to stop. No reasonable person would assume that you could buy any physical device and NOT be allowed to do whatever you want to it. There may be usage restrictions (you can't modify your car w/ a jet pack and expect to drive it on a public road...), but if you are doing something for educational/experimental purposes, I can't see how it would be illegal.
Anyone care to comment? I'm open to having my position changed if someone can show me why.
IANAL, but the DMCA includes a ban on circumventing access controls. Recently exceptions to this ban were issued, allowing people to jailbreak their iphones. Unfortunately the broadest exceptions were limited to "telephone handsets."
The summary of the exception with respect to video games said this:[1]
>(4) Video games accessible on personal computers and protected by technological protection measures that control access to lawfully obtained works, when circumvention is accomplished solely for the purpose of good faith testing for, investigating, or correcting security flaws or vulnerabilities, if:
>>(i) The information derived from the security testing is used primarily to promote the security of the owner or operator of a computer, computer system, or computer network; and
>>(ii) The information derived from the security testing is used or maintained in a manner that does not facilitate copyright infringement or a violation of applicable law.
IANAL, but it is not a general prohibition on circumventing "access controls", so he may not need to rely on an exception.
17USCs1201 (added by the DMCA) says:
(a) Violations Regarding Circumvention of Technological Measures.
- (1)(A) No person shall circumvent a technological measure that
effectively controls access to a work protected under this title.
The prohibition contained in the preceding sentence shall take
effect at the end of the 2-year period beginning on the date of the
enactment of this chapter.
So the technological measure must "effectively control access to a [Copyrighted work]".
Jailbreaking a games console does not circumvent the technical measures that prevent copying - at most, it might circumvent technical measures that prevent someone from circumventing technical measures.
The Court of Appeals for the 9th Circuit (including California) has a precedent that makes the anti-circumvention provision rather broad (more than a plain language interpretation of the law would otherwise imply); other circuit court rulings have interpreted the law to be much more narrow and not cover circumvention that doesn't allow / involve copying; presumably this is why Sony wants it heard in California and Geohot wants it heard in New Jersey (under the jurisdiction of the Court of Appeals for the 3rd Circuit).
No, the DMCA bans circumventing a measure that prevents copying. Sony needs to prove that their locks on the PS3 prevent copying. I'm not sure they do.
I guess the question is whether him giving users root access to their machine is 'facilitating copyright infringement' or not. I guess if you read it by the letter of the law he may be guilty, but thankfully the letter of the law isn't always king. This was probably meant more like, "does not actively encourage copyright infringement and facilitate that need."
I've only seen people say "It's Apple's App Store, they have the right to do what they want with it", not "It's Apple's hardware, they have the right to do what they want with it".
I don't know anyone who would question a hardware owner's right to do as they please with it.
>To be clear, we believe you have every right to push forward such a policy. In our view, it’s your hardware and your channel and you can put forth any policy you like.
Apple's server hardware isn't the issue: Apple is asking for a 30% cut when Readability is processing and distributing content. (Maybe; I'm not sure how the Readability app specifically works. But Readability is theoretically in the same boat as Amazon, where Amazon is hosting all of the content, and Apple expects a cut because you're using an iOS device, and Apple maintains that their curator position licenses them to revenue sharing from all apps, regardless of who hosts the content.)
Morally I agree that something you buy is yours to do what you want with, but in practice there are routinely restrictions on what you can/can't do, each with their own degree of right/wrongness.
For instance most people find it reasonable that you can't:
-Modify/bypass emissions equipment on your car.
-Saw off the barrel of your shotgun, or modify semi-auto -> Full auto
-Buy one copy of a movie then show it to the whole neighborhood and charge admission
I think in all those cases you mentioned it would be usage restrictions rather than actually being able to change the physical object you bought. And it would be the government saying you can't do something, not BMW or Colt handguns.
Again, INAL, but I thought you could modify a semi-auto and saw off the barrel as long as they were used at the shooting range (for instance...probably a state by state law as well).
And I'm fairly certain you can bypass the emission on the car to modify to make it a track car, for instance, or make it farm equipment. Again, not really up on the law, more anecdotes I've seen in my personal life.
> And it would be the government saying you can't do something, not BMW or Colt handguns.
I think this is a key point. Is it the government telling you that you can't do something (that is against the law) or a company using the law to prevent you doing something that they don't want you to do. I would guess that the former would be governed by criminal law and the latter by civil law - please correct me if I am wrong.
In this case, it is Sony using the law to try to prevent people learning how to root their PS3s and doing so through civil courts.
I thought you could modify a semi-auto and saw off the barrel as long as they were used at the shooting range (for instance...probably a state by state law as well
Nope, it's a federal law that prohibits you from possessing a short-barreled shotgun or a full-auto anything. This is since the National Firearms Act of 1934. Selling such a shotgun (after being goaded into it and entrapped by a ATF agent) was what precipitated the Ruby Ridge massacre.
In fact -- and you'd think this would fall foul of the 1st Amendment -- it's illegal to distribute a pamphlet that tells someone how to convert their rifle to full auto.
I agree... usage issue: another example is modify a phone so it transmits at non-standard frequencies I'm in my right to do it. If I'm at home or a non-public place that's shielded I can do what I want, but the public airways outside are under FCC regulation and then I'm breaking the law not for doing the modification but for using it in regulated space. It's the same way a companies tests out development phones and transmitters before getting a licence.
For your first point (and I only know this from accidental experience), it is extremely easy to bypass emissions equipment on a car, 1995 or newer.
On cars from 1995 an up all cars had to have an OBDII compatible port that lets car manufacturers read out the codes, but it was primarily designed to speed up emissions testing. Instead of putting the car on the tread mill now all they have to do is plug in the computer and get the codes back from the car. The car is continuously monitoring its output anyway to get the right fuel/air mixture to get the best possible gas mileage.
The way it does this is with a series of O2 sensors that are placed near the exhaust port on the engine and continuing down the exhaust for one or two more.
The thing is that if one of those sensors is faulty or dirty it will return that code, however since cars also have to run when the sensor has broken or just isn't installed the computer will completely ignore it and not fire a code for it at all. On my car all of my O2 sensors were broken, and I didn't know it until I brought it into a mechanic as I didn't think it was running correctly. I had passed emissions since my computer said everything was fine, but if it had been put on the tread mill (which would have cost me the same $27.50, so the state makes the same money whether they computer it or run it) it would have had "high" emissions because the fuel/air mixture was not right and I was basically dumping unburnt fuel into my exhaust.
After the O2 sensors were fixed my car ran much better.
It surprised me that my car didn't throw a code for the O2 sensors being completely gone as far as the computer was concerned, but it just goes to show that some things are easy to bypass.
Most people absolutely do not find it reasonable that you can't buy one copy of a movie and show it to the whole neighborhood. In fact they assume you can; people do it all the time.
I don't like the "licensed not sold" line. A copy was sold, U.S. law (generally) backs that up, and that means there are certain things you can do with it such as loan it out or give it away/resell it. You can't copy it, but that's because of copyright law, not because it's licensed-not-sold.
they're playing whack the mole with a large hacker community
Large companies need to realize that they're actually engaging in asymmetric warfare when they do this. The worldwide hacker community that's aware of Sony far outnumbers the internal dev group that did their security.
What's more, Sony suffers from the typical company illusion of hiring the top 1%:
But groups of hackers on the internet have none of the friction that exists in corporations, and so are operating in a purer, less-diluted meritocracy. As a result, companies doing DRM are generally outnumbered by more qualified opponents.
The basic rule of asymmetric warfare, is that you don't take on your opponent in a head-on fair fight. That's absolutely the worst thing to do. You need to turn the situation on its head, like the IRA did. Usually, the outlaw is in the position where, "You have to beat them every time. They only have to catch you once." But the IRA had that turned on its head. They only had to get away with something "once," and the British authorities had to catch them every time.
Companies can deal with pirates, but they have to realize that they are the underdogs, not the big guy in this fight. The best thing for them to do is to figure out how to win without fighting. Failing that, they need to figure out how they can be the ones who "only have to win once."
(I've been figuring this out, and yes, it can be done.)
They're trying to "only have to win once" by going after the top PS3 hackers. All of the defendants listed so far (geohot, fail0verflow) have unequivocally condemned piracy. Sony doesn't go after the pirate developers because, so far, none of them have shown much skill in uncovering new vulnerabilities - they take and rehash what fail0verflow, geohot, et al have done to support piracy. [1] Not to mention it is a lot easier to go after geohot, a guy who believes what he is doing is right and doesn't want to live in a world where he has to hide his research, than an anonymous pirate developer.
[1] The minds behind original PSJailbreak dongle (which enabled backups and piracy) do deserve credit for their brilliant USB exploit. Back to my main point, many have said that the PSJailbreak crew was only able to start their work after geohot exploited the PS3 hypervisor and documented how to do so.
They're trying to "only have to win once" by going after the top PS3 hackers.
That's just plain wrong. All Sony is going to do is to drive all the hacking completely underground. All of it will be black hat.
That's not what I meant about "only winning once." That's just another whack of the whack-a-mole mallet. Here's how you "only win once" while you are forcing your enemy to "win every time."
1) Let people copy and run your game, but require them to pay when connecting to the official company servers.
2) Devote all of your technology and development resources to only detecting pirates, but don't ever take any direct action against them. Don't even let them know immediately if they've even been detected.
3) Ensure that all of the highest glory, fame, and bragging rights in your userbase go to winners of tournaments on the official servers.
4) Take indirect action against pirates, but only in ways which are hard for the pirates to substantiate. Never lock them out, outright, but start degrading their gameplay experience in ways which make them look like they're "whiners." Attack their gameplay experience, but only periodically and when it will hurt them the worst. Start rumors that various cracked versions of the games have bugs. Ban pirates and warez users, but only from the big official tournaments on the official servers, perhaps many months after they've been detected as pirates.
5) Continually update the game, including the detection technology.
In this scenario, those running your software illegally are the ones who will always be looking over their shoulder, wondering if they've been caught. At least at first, no one will have strong motivation to crack the detection technology, since they can run the game anyways. Be continually changing the detection technology, so that any given crack only lasts a month or so. One can even compartmentalize the detection technology, such that any given crack will only work on a fraction of the installed base. If done correctly, you can convince people to simply pay for the game.
This isn't "getting medieval." It's "getting Machiavellian."
