EEPI - Electronic Entertainment Policy Initiative
EEPI Home Page
EEPI Discussions Mailing List Information
[ EEPI-Discuss ] Re: One Week to Shattered Security: Lessons From the Sony PSP Exploit Saga
From: James Carlson <james.d.carlson+eepi@sun.com> > Using the word "security" here just gets us mired in the world of > hackers, worms, viruses, and the like, and that's not really the > focus. > [1] Yes, I'll admit that allowing module-signing is certainly a form > of security. The line I'm drawing is between that intent, and > simply preventing users from knowingly running software they'd > prefer to run, or writing their own. The line is between damaging > a system you do not own, and making changes to one that you've > purchased yourself. DMCA might make the latter "illegal," but > that's no excuse for clouding the language. In all fairness to Sony, I suspect that a dual focus was intended all along, and that the two aspects are tightly intertwined. Indeed, I agree that the primary issue seems to be one of maintaining the revenue stream and the related DRM, as we'd expect. But it's also very much in Sony's interest to ensure the operational security of the unit by avoiding the execution of programs that can turn the units into "bricks" (to use the popular term for devices whose firmware has been corrupted beyond users' capability to self-repair). Misbehaving programs can smash the PSP's internal firmware, and while Sony has the hardware tools to restore them, the last thing they want is piles of PSPs being shipped back for restoration after running errant or malicious unsigned code. In fact, the PSP hacker community has apparently "bricked" quite a few PSPs in the process of their experimentation, and concerns over protecting unsuspecting or naive users from the same mentality that sends out viruses and worms is very real. While there are some approaches that can help minimize this risk (such as attempting to verify programs through PC-based PSP emulators), the problem is still very difficult. So, the capability to run unsigned programs really is a two-edged sword as far as the PSP is concerned. --Lauren-- Lauren Weinstein lauren@pfir.org or lauren@vortex.com or lauren@eepi.org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, EEPI - Electronic Entertainment Policy Initiative - http://www.eepi.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com _______________________________________________ EEPI-Discuss mailing list information: http://lists.eepi.org/mailman/listinfo/eepi-discuss