Thoughts on Sony

In case you haven’t heard what has happened, a group of hackers, called fail0verflow, recently gave a presentation that demonstrated the lack of security on Sony’s Playstation 3 console.  The team demonstrated how the attack can be performed on the system and used to discover Sony’s private key used to sign software on the Playstation.

Geohot, then based his attack off of fail0verflow’s work, was successful in finding the Playstation’s private key, and posted on his website.  For a few days, the world wondered, what will Sony’s response be?  And now we know…

Sony originally filed for an injunction against geohot and the fail0verflow team to force them to remove their tools/information off of the internet, ideally prevent the spread of the tools, and force them to stop all future work.  The lawsuit has since been updated with Sony now also seeking damages.

This court case, if it makes it to court, has the ability to set a dangerous precedent, but also a very consumer friendly precedent.  It was ruled last year that it is 100% legal to unlock and jailbreak an iPhone for use on other carriers and/or to access an app store that is not allowed by Apple.  At the moment, the ruling is only extended to the phone, but it is mine, the EFF’s, and probably many others out there who hope that it can be granted to consoles, and eventually all electronic gadgets.

The way Sony wants this to rule, it is only designed to benefit the big businesses.  I completely agree with Sony protecting its system and doing anything it can to prevent software piracy.  I am against piracy, and would just like to see the console opened up for homebrew.  However, Sony is specifically going against security researchers with this lawsuit.  Researchers need to have the right and ability to test the security of gadgets/systems/etc. and release information to the public without the fear of lawsuits. Without this, security would not be where it is today.  Without the ability to research and release, systems will stay unpatched as a result of vulnerabilities that would have not been discovered.  It would only put consumer information at risk, and protect the companies  who don’t want to spend the time properly securing their infrastructure.

Lets hope the courts can see clearly all the facts.