Disclaimer: As an IT professional, I am here to to contribute my opinions on the flack that 'jailbreakers' and 'hackers' are receiving for the recent Sony outage. While these people need no defense, the ignorance from those pointing the fingers is staggering and outrageous. Therefore, I'm saying a few words to correct that perspective, though admittedly you can't fix stupid.
First off to disclose a little bit of my personal background. I am an IT consultant for a company known to most fans of the Price is Right as Liberty Medical supply, a subsidiary of Medco Health Solutions.
While I have no claim to fame in the same sense as Geohot, I do much the same thing for the company I work for, i.e. ethical hacking. I spend a great deal of time pouring over source code on a daily basis in an effort to improve the stability, performance, and security of the apps our company uses to do business everyday.
Part of my job is to break applications and discover potential exploits, to maintain the security of our patients data, which is crucial to the profitability of our business. Without people like me working for the company, working day in and out to strengthen our security, we would be risking our integrity and reputation, which is a trust with the patients that buy diabetic supplies from us everyday.
Some of you think that Geohot and the many other 'jailbreakers' out there are to blame for the atrocity at Sony right now. Some of you believe that their actions inspired the behavior of unethical hackers to steal personal information of users of Sony's service, of which I am a PSN member; however, given the disclosure above, those feelings are misdirected at a group of people that do wonderful things everyday.
Let's squash that right now. Geohot is not responsible for and should not claim responsibility for the actions of the people responsible for Sony's network shutdown. Plain and simple, Geohot and I are of the same opinion, the understanding of how hardware and software work is crucial to improving the performance and capabilities of those platforms. Often this means reverse engineering products in order to exploit them. In this sense, we are hackers, and I am quite proud of that.
When Sony states that they hired a security consultant firm to help strengthen their network, they mean they are hiring people like Geohot, I, and many others - hackers. How does security evolve without those of us that take interest in understanding how software works? Anyone who's of the opinion that it comes from people like us, who find these exploits, have the correct perspective.
Sony, plain and simple, is to blame for the 77 million compromised accounts (once again one of those accounts are mine.) Their cavalier approach to security, their haughty claims, and their inability to recognize their own security flaws are the reason that mine and your personal data is in the hands of a group of unethical bastards who lack regard for yours and my privacy. As Geohot stated, instead of throwing lawyers at the 'problem' they could have been investing in ethical hackers to improve the security of PSN, If Sony were my company, Geohot would have had a job for the impressive discovery he and FailOverflow made.
I can only imagine if the company I worked for had an anti hacker attitude. Protected health information would be at great risk, possibly exploited, and our company would be paying millions of dollars in HIPPA violations rather than to the salaries of the 1000's of people that are employed by our company.
I can't say that I agree with Geohot's immature behavior during the law suit (Anti-Sony rap was kind of lame), but I do agree with his principles and overall belief in hacking. Without it, your personal data would be much less secure than it is now. Sony is proof of what happens when the finger is pointed in the wrong direction rather than reacting pro-actively to potential threats.
I could go on about our rights as consumers to actually own the products that we buy and how Sony is unethical in the respect that they removed advertised features from their product, when some of us bought it for exactly that feature. I could go on about the many of those that are unjustifiably angry at Geohot when there is no proof that the exploit he discovered was even used in the attacks against PSN, but that's not what I want to highlight in this discussion.
What I want to emphasize here is that those of you who are condemning hacking as an evil don't respect the necessity for this art. Does anyone of you order your diabetic supplies from the company I work for? I gaurantee you, because of my efforts, and the many people I work with everyday, your social security number, your insurance information, and any other protected health information is always moved on secure channels and is never intercepted by those who might exploit your identity for their own personal gain. Sony, can't say the same!
While Geohot and many others like him, do what they do for slightly different reasons, whether it be for consumer rights, the joy of breaking the restrictions and limitations of a new smart phone, or to protect your privacy, we all have a common ethical boundary we do not cross. We don't aim to steal what is not ours, we aim to protect what is ours, whether its our rights as a consumer or the integrity of the company that pays our bills. I am a hacker and I am proud of what I do! If anyones eyes have failed to open, well as I said, you can't fix stupid.
Many of a more mature opinion do not question the ethics of hacking and/or hackers. The question of ethics comes into play when a hack is publicly released for the world to see, regardless of good intentions. The ethical thing to do would have been to approach Sony with the hack so that security measures could be taken.
ReplyDeleteDisregarding employment, if you did what geohot did, you would have granted millions of people, many of whom would have nefarious motives, access to people's private data. Employment status muddies this, because you are contract bound to share your discovered exploits with your employer; however, the ethics behind finding the exploits, especially since you place geohot in the same category as you (ethical hacking), should bind you not to releasing those exploits to the public.
@Geoffrey
ReplyDeleteI understand your point of view, however, there is no proof that Geohot's jailbreak of the PS3 was used to exploit PSN. That's kind of the point I am making here, is that there are a lot of people making assumptions which includes making a leap from a highly publicized jailbreak to a mass outage of PSN.
I doubt highly that anything that Geohot released was used in that attack. In order to hack PSN we must first jailbreak our PS3's?! That doesn't make very much sense at all. So unless there are somethings about the PS3 Jailbreak I don't understand or there is documents I have not been privy to, how exactly did the jailbreak itself give millions of people access to Sony SQL tables?
As you've stated...you are a hacker. So you should know source code and the obvious applications of it; and the fact that with the source code of the PS3 which was publicly shared by the person in question; that someone with applicable knowledge and said source code could evidently disguise there pc as a ps3 to gain temporary access directly into psn and therefore hack from there. Just a theory...not stupidity. I fear that all the ifs ands or buts do not get george outta of the mess of dominoes he left. Is he to blame for the entire episode...I agree with you in that he is not...does he share partial responsibilty ..Yes he does. HE claimed he did it for my rights and yours as consumers...well I didn't ask him to. As for sony getting rid of the other OS being the reason for this, Buy a computer...personally I bought PS3 for gaming not computing.
ReplyDeleteWell, I wasn't trying to equate the hack and subsequent shutdown of the PSN with geohot's exploit discovery, but sony user makes a valid theory; the rest of his point is something to consider, too.
ReplyDeleteHowever, my point was more to the ethics of releasing an exploit to the general populous without any consideration of what can be done with it. "Here, I unlock for the world the ability to make an atom bomb; now I wash my hands of it." Maybe this exploit isn't the equivalent of an atom bomb, and no analogy is perfect, but the ethical principles remain the same. And that begs the question, why release an exploit, whether any danger in it is known or not, to a populous among whom are those will use it for nefarious purposes?
@ Sony User - I bought a PS3 for gaming as well and I'm not really arguing the ethics of the hack itself, or even why he did it. His point is valid in the sense that we should be allowed to do what we want with electronics that we pay for. People jailbreak Iphones, Doids, and probably Ereaders ever day. You don't see attacks against the respected networks as a result. I'm not saying they don't happen, but its certainly not publicized or anywhere near as extreme as Sony's problem.
ReplyDeleteHere is something to consider. Say I break an application where I work and share that exploit with another co-worker (implied that he/she is IT and they are under the same non-disclosure agreement that I am) and they decide to do something malicious with this information instead of upholding their contractual obligations. Should I be on the hook for their mis-use of that shared information?
Geohot did what he did with the implicit understanding that those he was sharing this information with, would not be using it for malicious intent. So should the PS3 jailbreak be a part of the equation, the people that mis-used that information are the people accountable for those actions.
Sony is also accountable because they have violated their trust with the consumer that is using their console legitimately by not regarding the potential implications of the jailbreak or the potential exploits to their own network. I won't even address the stupidity of having a master seed on the local console itself.
In short, placing Geohot on the fire for exploiting a system with the intentions that he had, is the same as firing me for sharing exploit information with a trusted source that chose to use it for unethical reasons. Anyone can mis-use information, but that doesn't put the person who publishes that information on the hook for the actions of someone else.
I think your example is lacking in two big details (capitalized to show emphasis, not trying to "cyber-shout"): you shared the information with ONE INDIVIDUAL who is SUPPOSED TO USE IT ONLY LIKE YOU ARE. The exploit geohot discovered was shared with the world without any limitations on its use. Furthermore, the limitations placed on you and your coworker carry explicit consequences if broken, I would assume (such as loss of job and even criminal prosecution), while geohot would be in no position to enforce any limitation.
ReplyDeleteFor those reasons, what you would have done is expected of you; you were working with someone doing the same job as you and they misappropriated the information. Now, if you were their supervisor, you may be reprimanded for their misdeed, but I don't know your company's hierarchical structure (this would be the case, perhaps more would be done, in a similar situation would this be the military). geohot's exploit, however, was gifted (for lack of a better word) to those who may or may not be as ethical as you would like to make him out to be (I'm not convinced he was one way or the other, to be honest) with little regard or care for who they may be.
@Geoffrey
ReplyDeleteGeohot was stuck in a catch 22, either he gave the code out publicly and it was possible to be used for nefarious uses or give it to Sony to be used for their nefarious uses (Removing features from existing consoles, sold and advertised with those features).
Please let me know how to judge which is more or less ethical than the other.