Deep Insecurity

Published as part of our sister-site GamesIndustry.biz's widely-read weekly newsletter, the GamesIndustry.biz Editorial, is a weekly dissection of an issue weighing on the minds of the people at the top of the games business. It appears on Eurogamer after it goes out to GI.biz newsletter subscribers.

It's hard to imagine a more unpleasant start to 2011 for Sony than the revelation which greeted the games industry as it returned to work this week. The PlayStation 3, considered since its launch to be one of the most secure consoles ever constructed, appears to have had its security systems blown wide open by a group of dedicated hackers.

Huge flaws in the software which is designed to prevent the copying of PS3 games or the execution of unauthorised code have been revealed, and the consensus among those familiar with the hardware is that - assuming the hackers have accomplished what they claim, and they've given no reason to doubt them thus far - Sony's machine is now practically wide open.

The spectre which looms over the PS3 in 2011, then, is one of an arms race with hackers. The team responsible for the current hack, Fail0verflow, professes to be firmly anti-piracy and interested only in giving consumers the right to execute whatever code they choose on hardware they have bought - a common ideal of the technologically minded. Other groups, of course, will use the knowledge Fail0verflow have released in far less scrupulous ways.

The biggest headache for Sony, however, lies in the fact that what has been exposed is such a fundamental security problem that it has actually handed hackers the private keys used to sign code to run on the PS3. For those unfamiliar with this kind of security, the bottom line is that those keys should never, ever fall into outside hands - they will allow programmers to write any code they like, including custom firmware, which the PS3 will run just as happily as if it had originated from within Sony itself. Moreover, those keys can't simply be revoked by a firmware upgrade or even a new version of the console, because every piece of software released for the PS3 thus far relies on them to operate.

Recriminations will inevitably fly over the hack itself. Plenty of people are already lining up to condemn the hackers who revealed the security flaw, which seems like fairly misdirected anger - investigating and uncovering security problems is a key part of the process which makes security better down the line, and bluntly, it's far better that this kind of issue be revealed by a "white hat" (that is to say, non-destructive and moral) group of hackers than for it to be found and exploited by "black hat" (destructive, profiteering or outright malicious) hackers.

Others are, rather more justifiably, angry with Sony. The problem revealed by the hackers was a pretty basic one - an equation which needs to be fed a random number in order to generate cryptographically secure files was instead being given the same number every single time code was encrypted, which made it easy for the hackers to reverse-engineer the maths and spit out the all-important private key. That's an amateur-level mistake, and while plenty of blame will no doubt be apportioned within Sony for the error, the rest of the industry can quite reasonably ask why processes to catch this kind of problem either weren't in place, or didn't work.

Because it is, after all, the rest of the industry that will suffer the greatest impact from this security failure. The hackers who follow in Fail0verflow's footsteps and create custom firmware to run pirated games, emulators and so on will be targeting Sony's hardware, but it's third-party publishers and developers who have most right to be outraged. The licence fee they pay to Sony for every piece of software they sell is, in many respects, a fee for security - the price of selling software on a platform where piracy is difficult or damn-near impossible. Now that has been taken away from them, with the PS3 looking set to become the easiest platform to pirate software for - easier even than the Wii, DS or PSP, all notorious piracy targets but all of which require some degree of technical knowledge to get pirated software working.