• PSN Communications Decrypted, “Call of Privacy: Modern Spyware”
    38 replies, posted
[URL]http://www.ps3hax.net/2011/02/call-of-privacy-modern-spyware-by-playstation-network/[/URL] [quote] Long time PS3 Dev [B]SKFU [/B]posted a link on IRC and his twitter, to quite an interesting article, discussing the security of the Playstation Network([URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL]), the article is written by a group calling itself “[B]The Anonymous Data Protection Officers[/B]“, here it is in full: [B][B]Prologue[/B][/B] Due our objective research of the SONY PlayStation Network, we decrypted nearly 100% of the traffic transferred over proxies, http and https to and from the [URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL]. Just out of curiosity, not to harm anyone or anything and not like SONY may want people to see it. As SONY calls the scene hackers “evil”, we surely do not address pirates and skiddies, we wondered how SONY is treating the users’ privacy and rights (remember the Music CD/DVD and USB stick rootkits). After we noticed a few badass functions they have built into the [URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL]/PS3 functionality, we just call it the “Call of Privacy: Modern [URL="http://www.ps3hax.net/tag/spyware/"]Spyware[/URL]” case. Below we list and explain a few of the shady [URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL] functions and data mining stuff. And remember: EVERYONE has a right to know about YOUR OWN PRIVATE data being transferred over the networks ! [B][B]Sensitive data[/B][/B] Even if a connection is SSL encrypted, companies are aware of the big risk behind custom CA files and it’s possibilities. SONY seems not to care about those known vulnerabilities. It is a big company and a HUGE network. With huge we mean a magnitude of hundreds and even thousands: the [URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL] utilizes thousands of servers, handled by a very small group of administrators and quality assurance people. (Copied from PS3Hax.net) The IP ranges and domains of these servers are retrievable by anyone, cause this is how the Internet works ! It is all public data and information ! An example is the credit card information and the login authentification itself. Take a look at the traffic: [B]creditCard.paymentMethodId=CC_COMPANY& creditCard.holderName=EXAMPLENAME& creditCard.cardNumber=1234567890123456& creditCard.expireYear=2012&creditCard.expireMonth=2& creditCard.securityCode=123& creditCard.address.address1=EXAMPLESTREET%2024%20&creditCard.address.city=EXAMPLECITY%20& creditCard.address.province=EXAMPLEREGION%20& creditCard.address.postalCode=12345%20[/B] The credit card information should ALWAYS be encrypted. In ANY case. At least the security code. SONY is only relying on it’s https connection. With all those CFWs spreading around, this is not secure anymore. Same goes for the user details: [B]serviceid=IV0001-NPXS01001_00& loginid=example@mail.com& password=examplepassword& first=true& consoleid=EXAMPLEID123[/B] Such sensitive data can now be captured by anyone who builds his own custom firmware with custom certificates. There are enough n00b-friendly tools by now. Means, little scriptkiddies can spread their little CFWs and phish user data. As many of these people are using a third party DNS, they are a potential victim of phishing. At the beginning of the PS3 launch, this user data was even transferred over http ! That being said, we continue with… [B][B]Information gathering[/B][/B] The PlayStation Network agreement states that SONY is allowed to collect nearly any data that is connected with your privacy.It is clear, that SONY won’t tell you WHAT they are collecting in the TOS etc., as many people would never accept that TOS. A few month ago we noticed the TOS silently beeing updated without a new user agreement request. It was about that you have the right to contact a “Data Protection Offier” at SCEE, who can can give you details about what data is collected. So we phoned SCEE. Beeing forwarded to many people, it turned out that there is no so called “Data Protection Officer”. Funny right? Shortly after this call, the clause was removed from the TOS. SONY itself told us, that they do not know, what we are talking about regarding this Officer.(Copied from PS3Hax.net) They told us, that there was never such a position inside SONY, neither a phone number. Even the address was non existing ! Still it is an impudence what huge amounts of data they are collecting. One example is an information list which is transfered everytime you login the [URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL] as well as at some random time. A few short quotes: [B]TFT-TV[/B] This is a string sent to SONY which includes your TV model. The list is long and contains a lot more like information about attached USB devices, your home network, your playtime behaviour, installed games, apps, homebrews or their so called “circumvention devices” and so on. Details about your Home network, statistics etc. Modern user tracking we guess They try to make every [URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL] user transparent like a glass figurine. It seems that not only the governments are going for such plans. [B][B]The BANHammer[/B][/B] Now SONY is swinging the “mighty” banhammer. Some users are banned, some are only warned. But who warns SONY? Their semi-legal tactics against the enduser are a joke. We again remember their rootkits on Audio Media and USB Sticks. Just for your interest, we quote a guy from SONY: [B]Thomas Hesse, President of Sony’s Global Digital Business, literally says: “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”[/B] This is not an urban legend -> [URL]http://www.techdirt.com/articles/20051108/0117239_F.shtml[/URL] So we could take this for an example and say: “Most people inside SONY don’t even know what security is, so why should they care about it?” If SONY cares about their customers, why are they treating them like totally douchebags ? Of course the quote does not reflect the view of the company itself, but HELL, this was not from a Jon Doe inside SONY, it was from a Department’s President ! The [URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL] is a core feature of the PlayStation3, like OtherOS was. So why do they ban the [URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL] of users who LEGALLY run homebrew (not backups!) on their consoles? Just because they do not like it? It is a fact that reversing a system is legal in most countries all over the world, and if someone who really only wants to run his own code (no, not backups!), which he legally signed and coded without any SONY libraries or documentation, would sue SONY, they would may lose. Reverse engineering is also allowed for analysing purposes. E.g. is a software/hardware implementing/running, rootkits, [URL="http://www.ps3hax.net/tag/spyware/"]spyware[/URL], malicious code, security flaws, transferring privacy data and so on. Imagine if this wouldn’t be legal, any antivirus software would brake the law ! The companies of antivurus software are reverse engineering virus code, that is NOT copyrighted by them ! So why are those companies allowed to RE and even PUBLISH their findings to the public but not people like fail0verflow etc. ? By studying the [URL="http://www.ps3hax.net/tag/psn/"]PSN[/URL] since it’s launch we know it’s vulnerabilities pretty good right now and unbanning consoles might be as easy as banning consoles. It is an infinite circle of “who-is-better”. Sony just can not, or just don’t want to, make a clear distinction between pirates&skiddies and hackers, who only want to OWN and UTILISE what they OWN and PAID for. Hackers are responsible for creating stuff like the PC, Unix, Windows, Macs, the Internet, the WWW, AAA games etc. Guess what IBM is calling their Cell/Hypervisor docs ? Make an educated guess: Hackers Guide. [B][B]Research Hypervisor Hackers Guide:[/B][/B] This document is intended for programmers who wish to discuss the code of the Research Hypervisor Project. It also attempts to introduce the hopes and dreams of the maintainers of the code that, hopefully, will make those dreams a reality. [URL]http://www.research.ibm.com/hypervisor/HackersGuide.shtml[/URL] [B]One last thing: Our research is based on PUBLIC information, Hardware/Software we OWN and PAID for and the right for our PRIVACY to be PROTECTED ![/B] - The Anonymous Data Protection Officers[/quote] [url]http://www.multiupload.com/G4XGCDDZBN[/url]
Hopefully this will form another class-action lawsuit to pressure Sony to clean up their act.
It just gets worse for Sony.
The PS3 has been torn a new asshole with all this stuff going on.
Damnit Sony :argh:
Wow.
BRB, getting off PSN until this shit gets patched and encrypted.
Never used PSN anyway, always thought it was a pile of crap and this just proves it.
i don't really give a fuck as long as i can still play uncharted 2 online i'm content
Oh wow, Sony. I just can't wait for a class action lawsuit. Geohot should win.
[QUOTE=Starpluck;28113295][img]http://www.mylegaladvance.com/images/lawsuit-cash-advance-gavel-money.jpg[/img][/QUOTE] A gavel wouldn't make very much noise if there was money under it oh snippin your posts are ya
Well, that's what you get for having shit security.
holy shit wow, damn sony, lazy fucks.
This is outright ridiculous
If sony would've just shut their mouth and accepted the rooting and not ban anyone off it, this maybe wouldn't arise.
I don't think I have my credit card info on PSN. I haven't purchased anything so I wouldn't expect so.
[QUOTE=FFStudios;28113419]i don't really give a fuck as long as i can still play uncharted 2 online i'm content[/QUOTE] So you don't give a fuck that your bank details are being transferred over unencrypted https connections for anyone with a basic understanding of [I]computers [/I]can see?
[QUOTE=Madman_Andre;28114742]So you don't give a fuck that your bank details are being transferred over unencrypted https connections for anyone with a basic understanding of [I]computers [/I]can see?[/QUOTE] Please define "basic understanding". I deal with end users, and they say they have an advanced understanding.
So Sony is incredibly lazy apparently. First non-random random number key security, now unencrypted credit card information handling. This is beyond retarded.
Removing all credit card details from my PSN Account. Right now.
[QUOTE=LoLWaT?;28113484] In an almost completely unrelated thought... I find it pretty funny that Gabe finally switched sides to PS3 while calling Microsoft a "train wreck" and [B]THEN[/B] everything at Sony starts to fall apart with this shit. :v:[/QUOTE] Valve then makes a console. and all is right with the universe.
[QUOTE=goon165;28115142]Valve then makes a console. and all is right with the universe.[/QUOTE] I'd totally buy a console from Valve.
[QUOTE=Hoffa1337;28115369]I'd totally buy a console from Valve.[/QUOTE] I wonder what it'd be able to do!
[QUOTE=gazzy_GUI;28115618]I wonder what it'd be able to do![/QUOTE] use mice and keyboard
[QUOTE=gazzy_GUI;28115618]I wonder what it'd be able to do![/QUOTE] Sell hats.
[QUOTE=gazzy_GUI;28115618]I wonder what it'd be able to do![/QUOTE] microtransactions
[QUOTE=gazzy_GUI;28115618]I wonder what it'd be able to do![/QUOTE] play crysis 2
I use a card that rarely has money in it. I don't give a flying fuck. And this is a standard in the world. Many companies really don't give a shit about their customers credit card information.
I'd buy a console from Valve, only because I'd assume I'd be able to play most of my games from Steam on it, or at least the games that supported the feature.
[QUOTE=gazzy_GUI;28115618]I wonder what it'd be able to do![/QUOTE] It would scan your house periodically and if it detected anything amiss you'd get VAC banned and it would shut down permanently with no way of appealing it
Sorry, you need to Log In to post a reply to this thread.