STE WILLIAMS

Sony tweets ‘secret’ key at heart of PS3 jailbreak case

An official Sony Twitter account has leaked the PlayStation 3 master signing key at the heart of the company’s legal offensive against a group of hackers being sued for showing how to jailbreak the popular game console.

Kevin Butler, a fictional PS3 vice president, retweeted the metldr key in what can only be assumed was a colossal mistake.

“Lemme guess… you sank my battleship?” he wrote in a post to the micro-blogging website that has been preserved for all the world to see. It goes on to include the key and the ironic words “Come at me.” The message was later removed from Butler’s tweet stream with no explanation why the key was leaked and then removed.

In a lawsuit filed in federal court in San Francisco last month, Sony accused well-known jailbreaker George Hotz, aka geohot, and more than 100 other hackers of violating US copyright law by disclosing the key, which is used to sign games and software that run on the PS3. Last week, Sony expanded its legal dragnet when it filed a series of motions seeking the identity of YouTube and Twitter users who did nothing more than discuss the issuance of the key or view videos showing how the latest hack worked.

Sony contends that videos and web postings disclosing the key violate provisions of the Digital Millennium Copyright Act that prohibit the circumvention of technology designed to prevent access to copyrighted material. Two weeks ago, the judge presiding over the case tentatively ruled Sony was likely to prevail on those claims and issued a temporary restraining order to prevent what she said would be “irreparable harm” if Hotz wasn’t required to surrender all his computer gear and remove all references to the hack that he posted online.

Sony’s gaffe shows just how futile Sony’s attempts are to prosecute people who discussed the key, said Stewart Kellar, the San Francisco attorney representing Hotz.

“It just demonstrates that the restraining order here will not prevent imminent irreparable harm to Sony because if there is harm it’s already occurred,” he told The Register. “The key is already out there. Restraining George will not stop the key from being distributed.”

A court hearing is scheduled for Thursday in the case so the judge can hear arguments that the temporary restraining order is overbroad and should be rescinded.

Sony, which says it’s sold about 44 million PS3s, has said its suit is necessary to prevent pirated games from running on the console. Hotz and members of the fail0verflow hacking collective, which in December published a PS3 jailbreak technique independent of Hotz, insist the hacks expand the functionality of the console so it can run custom, “homebrewed” applications that aren’t covered by copyright.

Last year, the US Copyright Office exempted iPhone jailbreaking from the DMCA so the handsets can run apps not officially sanctioned by Apple. Game consoles are unaffected by that act.

A email sent to Butler and a phone call left to Sony’s PR department weren’t returned?

Bill Gates: Killing The Internet is Easy

Gun power trumps tweet power

By Gavin Clarke in San FranciscoGet more from this author

Posted in Networks, 2nd February 2011 05:48 GMT

Free whitepaper – WAN Optimization for Dummies

When the revolution comes, someone’s always ready to tell you how Facebook and Twitter are powering history.

The problem is that while they’re still standing, governments can snuff out Facebook and Twitter whenever they like. All they need do is flip the “off” switch on the servers, routers, and wireless equipment used by local service providers.

Just ask Bill Gates.

When US TV anchor Katie Couric asked the Microsoft co-founder and chairman if he was surprised that Egyptian president Hosni Mubarak could take the unprecedented step of killing the entire Egyptian internet, Gates responded with an emphatic: “no“.

Sometimes, he knows what he’s talking about.

“It’s not that hard to shut the Internet down if you have military power where you can tell people that’s what’s going to happen,” Gates said. “Whenever you do something extraordinary like that you’re sort of showing people you’re afraid of the truth getting out, so it’s a very difficult tactic, but certainly it can be shut off.”

Web traffic analysis firm Renesys tracking the black out encapsulated the enormity of the situation here:

Every Egyptian provider, every business, bank, Internet cafe, website, school, embassy, and government office that relied on the big four Egyptian ISPs for their Internet connectivity is now cut off from the rest of the world. Link Egypt, Vodafone/Raya, Telecom Egypt, Etisalat Misr, and all their customers and partners are, for the moment, off the air.

And yet the Egyptian protests continue – without Twitter and Facebook.

As US chat-show host Conan O’Brien, himself the victim of a botched power struggle, apparently put it: “If you want people to stay at home and do nothing, why don’t you turn the internet back on?”

Next stop: the leader of the free world contemplates its own internet kill switch. ®

Source

  • 03/02/2011
  • adm

First DOS-based malware celebrates silver jubilee

The first virus capable of infecting DOS-based PCs celebrates its silver jubilee this month.

The Brain Virus, written by Pakistani brothers Basit and Amjad Alvi, was relatively harmless. The Alvis claimed the malware was there as a copyright protection measure to protect their medical software from piracy, an article by CIO magazine on the anniversary recalls.

Brain replaced the boot sector of an infected floppy disk with malicious code, moving the real boot sector to another part of the disc. The malware had the effect of slowing down disk access and, more rarely, making some disks unusable.

Any other floppies used on a machine while the virus was in memory would get infected, but the malware did not copy itself to hard disk drives, as explained in a write-up here.

The Lahore-based Alvi brothers were fairly upfront about their questionable actions, going as far as embedding their names and business address in the malware code. Although intended only to target copyright violators, the malware infected machines in the US and UK among other places.

It’s hard to believe now, but the very few computer viruses prior to Brain infected early Apple or Unix machines.

It is highly unlikely any of today’s generation of VXers would do the same. Instead of curios such as the Brain virus, security threats these days take the more ominous form of Zombie botnet clients.

The Alvi brothers could never have imagined we’d get here, even though they arguably helped pave a small part of the way towards a world of Windows malware.

  • 21/01/2011
  • adm

Lush website hack ‘exposes credit card details’

Luxury cosmetics firm Lush has ditched its UK website in response to a sustained hacking attack which left users vulnerable to credit card fraud.

The firm warns that credit card details submitted to the Lush.co.uk site between 4 October and 20 January may have been compromised by the assault by unknown hackers. Customers are advised to contact their bank as a precaution.

Lush wrote to its customers about the problem via email, copies of which were forwarded to us by several Reg readers. One reader reports that the credit card of a friend who had bought goods from Lush was subsequently used in a failed attempt to fraudulently purchase electrical goods online, anecdotal evidence that suggests the risk of fraud arising from this breach is far from theoretical.

E-commerce outlets sometimes suspend their website upon the discovery of a security compromise, restoring them once it’s decided that underlying problems that might have allowed an attack have been fixed. Lush has gone much further than this and decided to “completely retire” the present version of its website.

“Our website has been the victim of hackers,” a statement on Lush’s soon-to-be-abandoned website explains. “We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.”

The cosmetics retailer plans to launch a completely new website, one that initially at least will only accept PayPal payments.

Lush’s shops and mail order systems, run separately and not affected by the hack, will continue to trade as normal. UK-based Lush maintains multiple country specific websites throughout Europe, the US and parts of Asia. All appear to be trading as normal.

A quirky statement on Lush’s UK website, which links to a video ad promoting Lush and featuring glove puppets, concludes with a message to the unknown hackers. “If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers,” it said.

Lush’s website statement leaves plenty of questions unanswered, not least how many records were exposed by the attack and what went wrong with its UK site. The continued operation of multiple country-specific sites by Lush sits oddly with its decision to ditch, rather than just suspend, its UK site.

A spokeswoman said that Lush was in the process of putting together an updated statement on the incident, which we await with interest. She declined to answer our questions on how many records might have been exposed

  • 21/01/2011
  • adm

EU climate exchange website hit by green-hat hacker

An EU Climate Exchange website was hacked as part of a political protest against carbon credits by a green-hat defacement crew.

The front page of the ECX.eu website was sprayed with digital graffiti lampooning the concept of applying a market-based approach to tackling carbon emissions. An anonymous group of hacktivists called Decocidio claimed responsibility for the attack, which took place late on Friday.

The hack highlighted the group’s opposition to carbon trading as a means of tackling climate change, and contained links to activist groups Earth First, Climate Justice Action, and the Hack Block as well as an embedded video called The Story of Cap and Trade. Archived copies of the defacement, which carried the headline Super Promo – Climate for sale, can be found here, on a blog maintained by former TV meteorologist Anthony Watts.

The defacement was purged over the weekend and the ECX.eu was restored to normal operation by Monday morning.

IndyMedia Australia has more on the background and motivations of the hack’s perps here. Decocidio preposterously describes its attack as a public act of digital direct action.

Doubtless, as we speak, the perps are camped out in Epping Forest eating lentils and listening to 80s anarcho-vegitarian agitpop from the likes of Crass or Flux of Pink Indians.

Netcraft reports the Climax Exchange website runs Apache on Linux. It’s unclear how the attack was carried out or whether any deeper compromise into databases or other sensitive information was achieved. The vast majority of website defacements do not coincide with deeper breaches.

Attacks against climate change or research websites carry an extra political weight, especially after the CRU breach last year.

A hack against University of East Anglia last November resulted in the exposure of emails and other documents from staff at its Climate Research Unit online. The so-called Climategate breach resulted in a huge political controversy over the methodology of the scientists, with researchers on either side of the climate change debate using extracts from the documents to back up their positions

  • 21/01/2011
  • adm

National Identity Card holding chumps have buyer’s remorse

The horror that was the National Identity scheme may be dead – its end pronounced yesterday – but it is not altogether gone and now, zombie-like, supporters of the ID card are returning to haunt the Coalition.

And while el Reg has not been known for its support of the scheme – or the NI register that under-pinned it – it is possible that the complainers have a point.

In the months between the launch of the National Identity card and its abrupt termination at the hands of the Coalition, some 30,000 individuals are estimated to have signed up for the card, at a modest £30 a time.

Fingerprinted, photographed and details neatly recorded, the promise to these identity guinea pigs was that less hassle at banks and shops throughout the UK – where the demand for documentation grows ever more pressing – and the ability to carry their card with them at all times, while abroad, instead of the rather more cumbersome and costly UK passport.

Two individuals who took up the offer were Angela Epstein, a freelance journalist, frequently to be found writing for the Good Health section in the Mail, and Investment Banking Consultant Nicholas Hodder. They are not best pleased that the cards are being scrapped – though for slightly different reasons.

Ms Epstein, who was the very first individual in the UK to sign up for a card, feels that the card performed a useful function: she will mourn its passing. She is also less than amused that the government is scrapping her 10-year card without providing a refund.

Mr Hodder made extensive use of his card when abroad, presenting it at border checkpoints in excess of 30 times. He dislikes carrying a passport: he finds the card that much more convenient.

Both were on the BBC last week, on Rip-off Britain, making the case for the government to offer either a refund, or continued recognition of the card, over its lifetime, for those who do not opt to receive their money back. Mr Hodder points out that at UK Borders, the only check made is whether cards or passports are blacklisted. So there are no major database implications of retaining the card as a stand-alone identity document.

These views have gained some ground in Parliament. In November, the matter was debated in the Lords, where peers on both sides of the House expressed dissatisfaction at the proposal to scrap the cards without providing a refund.

Lord Brett pointed out that although the intention to scrap them had been made perfectly clear by both Tory and Lib Dem manifestoes, neither party had stated a position on whether it would offer a refund or not.

Lib Dem peer Lord Phillips of Sudbury reckoned that few ordinary members of the public would have read the manifestoes. Speaking of his own experience, he said: “I will be quite frank – I did not even read my own party’s manifesto. It was 115 pages long, for a start.”

He also queried the view expressed by the deputy director of policy at the Identity and Passport Service, who claimed that the ID card was not a consumer good – and therefore exempt from consumer protection law.

Putting in a plug for UK SME’s, Lord Erroll expressed scepticism about a claimed £20m needed to refund the card cost, suggesting that the government “have clearly fallen into the hands of the large systems integrators again, who are siphoning off our taxpayers’ money to America”.

On 17 November, the Lords voted an amendment to the Identity Documents Bill that would have required the government to pay compensation to cardholders. This was agreed on 24 November and passed across to the Commons earlier this week as part of the process known as “parliamentary ping-pong” which takes place whenever Lords and Commons cannot agree on an issue. The Commons has now appointed a Committee of MPs to look into the matter.

According to a statement from the Identity and Passport Service: “The Identity Card scheme has already cost the taxpayer millions of pounds. Combined with development work on biometric data, some £292 million has been spent on ID cards.

“The amendment to pay refunds would add a further cost to be picked up by the taxpayer.

“The Government will reverse this expensive change when the Bill returns to the Commons.”

With the abolition of ID cards becoming law yesterday, Mr Hodder’s suggestion is pretty much history: however, the question of whether or not to pay refunds is a quite different matter, and despite Home Office hopes to the contrary, it may yet be one that returns to bite the government, in the courts.

  • 21/01/2011
  • adm

FAA to pilots: Expect ‘unreliable or unavailable’ GPS signals

The US Federal Aviation Administration is warning pilots to expect “unreliable or unavailable” signals from their global positioning gear as a result unspecified tests being carried out by the Department of Defense.

The Notice to Airmen, or NOTAM (PDF) said the GPS tests will be carried out beginning Thursday and are expected to last through February 22. They will cause spotty GPS signals in a several hundred mile radius centered off the coast of Florida.

Map showing affected area of Department of Defense GPS testsSource: FAA

A second NOTAM (PDF) warns of similar GPS disruptions centered in Southern California Nevada around the same period.

“Pilots are highly recommended to report anomalies during testing to the appropriate [Air Route Traffic Control Center] to assist in the determination of the extent of GPS degradation during tests.”

During the effective period, test events will be active for 45 minutes followed by 15 minutes of off time.

It’s not clear if GPS apps in smartphones and car navigation systems will be affected. We’re guessing they will. Readers who know for sure are encouraged to leave a comment

  • 21/01/2011
  • adm

GCHQ goes Google

Britain’s digital spies have turned to Google for help making sense of the floods of data now inundating their powerful computing resources.

GCHQ, the Cheltenham-based signals intelligence agency, is recruiting an expert on MapReduce, the patented number-crunching technique previously behind the dominant web search engine.

The agency’s new lead researcher on data mining will be responsible for “developing MapReduce analytics on parallel computing clusters”, a job advertisment reveals.

MapReduce was developed by Google to index billions of web pages across its cluster of hundreds of thousands of commodity servers. It breaks up complicated tasks into smaller, easier computing problems that cheap hardware is capable of solving quickly.

Google patented the technique earlier this year, but it remains free for other organisations to adopt via Hadoop, an open source project. Originally described in a 2004 research paper, MapReduce has allowed Google’s algorithms to index a rapidly expanding web while keeping costs down.

GCHQ faces similar a challenge as it gathers more and more raw data from internet communications, including email, social networks and VoIP.

“Successful data-driven organisations must be able to process, interpret and rapidly respond to indicators derived from unprecedented volumes of data from disparate information sources,” its recruitment advertisement says.

The Register understands that GCHQ now has a cluster of more than 250,000 commodity servers under its Cheltenham “doughnut” building. In recent years it has developed this Google-style infrastructure instead of the very expensive, bespoke supercomputers it used to analyse microwave intercepts during the Cold War.

While spies are planning research on MapReduce, Google has already moved on to BigTable, its new distributed database

  • 21/01/2011
  • adm

Gov will spend £400k to destroy ID card data

Taxpayers will finally see some value for money out of the former goverment’s ID card scheme.

The cost of destroying the personal data collected under the ill-starred programme will be a mere £400,000, Home Office minister Damian Green revealed yesterday.

The figure came in a commons reply to Paul Goggins MP, who’d asked what security standards would be applied in the destruction of the National Identity Register, what the arrangements were for the data destruction, and what the cost would be.

Green replied that the standards applied had been set out in a document placed in the House of Lords Library last November.

The destruction will be carried out by a a CESG accredited and approved supplier, securely and in accordance with established secure destruction policy, procedures and guidelines, Green said. These include compliance with the HMS IA Standard No. 5-Secure Sanitisation of Protectively Marked Sensitive Information. Physical equipment holding the data will be degaussed and physically shredded.

While scrapping the system will save £86m over the next four years, said Green, costs from asset write-offs and the like will be £5m in 2010-2011.

The actual dismantling of the systems and the destruction of the personal data will be a mere £400,000, though. Which seems like a bargain compared to the £330m Labour spent on the scheme, of which £41m went on “developing the policy, legislation and business case for the introduction of identity cards”.

A cheaper option of course might have been to simply shove the data in the Lords Library. As Green himself demonstrated to Goggins, no one thinks of looking for anything in there

  • 21/01/2011
  • adm

More privacy for the Queen, less for everyone else

The coalition government has detailed the changes it wishes to make to the Freedom of Information Act – reducing the 30-year rule and increasing the number of bodies which must obey the law.

Secretary of State for Justice Kenneth Clarke told the House the Freedom of Information Act would be extended to include the Association of Chief Police Officers (ACPO), the Financial Ombudsman Service and the University and Colleges Admissions Service (UCAS).

Clarke said the government would consult with other bodies on their inclusion into the remit of the Act including Examination Boards, Harbour Authorities, the Local Government Association and the NHS Confederation.

The coalition is also speeding up the release of public documents by changing the 30-year rule to a 20-year rule. It will also look at ways to reduce the time that some other information like court records and ministerial correspondence is kept secret.

Clarke also promised to enhance the independence of the Information Commissioner’s Office.

But there will also be changes to the Constitutional Reform Act to strengthen privacy rights for the Queen, the heir to the throne (Prince Charles) and the second-in-line (Prince William) or anyone acting on their behalf. The changes mean any communication between the government and these people is now an absolute rather than a qualified exemption.

The exemption will last for 20 rather than 30 years, or the lifetime of the person plus five years.

Clarke said the changes were needed to “protect the long-standing conventions surrounding the monarchy and its records, for example the sovereign’s right and duty to counsel, encourage and warn her Government, as well as the heir to the throne’s right to be instructed in the business of Government”.

Finally Clarke said the coalition would engage in “post-legislative scrutiny” to see what impact the changes have and whether more tinkering is required.

Go here to read Clarke’s statement on Freedom of Information, from Hansard

  • 21/01/2011
  • adm