The 21-year-old hacker - who is best known for creating the first software-based hack for the iPhone, and getting hypervisor access and exposing the root key to the PlayStation 3 - has made it clear that he had nothing to do with filleting Sony's online gaming servers.
In a blog post, Hotz, who was recently hauled through the US legal system by Sony's dogs of law, says: "Anyone who thinks I was involved in any way with this, I'm not crazy, and would prefer to not have the FBI knocking on my door. Running homebrew and exploring security on your devices is cool, hacking into someone else's server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony."
Hotz says that he was originally planning a homebrew alternative to PSN and jokes that, if Sony hadn't thrown a legal spanner in the works, at least some PS3 owners would now have a place to game online.
The hacker also says he doesn't blame Sony's engineers for the embarrassing and costly intrusion, instead laying the blame firmly at the feet of the company's board.
"The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts," he writes. "Alienating the hacker community is not a good idea."
Sony will probably never publicly reveal how its infrastructure was so easily attacked, allowing the personal details of 77 million users to be stolen, but Hotz is willing to speculate:
"I bet Sony's arrogance and misunderstanding of ownership put them in this position," he says.
"Sony execs probably haughtily chuckled at the idea of threat modelling. Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client (can't trust those pesky consumers), everything is good.
"Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server? This arrogance undermines a basic security principle, never trust the client. It's the same reason [Modern Warfare 2] was covered in cheaters, EA even admitted to the mistake of trusting Sony's client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you.
"Notice it's only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren't crazy."
As a parting shot, Hotz has some advice for the PSN hacker, who is currently being pursued by both Sony and law enforcement agencies: "To the perpetrator, two things. You are clearly talented and will have plenty of money (or a jail sentence and bankruptcy) coming to you in the future. Don't be a dick and sell people's information."
No comments:
Post a Comment