You’ve probably heard the French saying, “Plus ça change, plus c’est la même chose.”
Alliteratively coined by the French satirical writer Jean-Baptiste Alphonse Karr, it means that the more things change, the more they remain the same, and it’s a cynical observation that what seems like an improvement may not, in the end, sort out the underlying problems or attitudes it was mean to fix.
Well, here’s a change that really does seem to be a change, in heart as well as in direction!
Sony, maker of the PlayStation games console series, has not always been friendly to hackers.
About ten years ago, the company famously took legal action against a young George Hotz, better known as geohot, an American hacker – in the neutral sense of the word here – who has found his way into numerous “locked down” devices over the years.
Hotz, who is now into open source self-driving automotive software, has variously come up with jailbreaks (or roots as they are known on Android phones, after the Unix name for the top-level administrative account) for iPhones, locked-down Androids such as Galaxies…
…and for the Sony PlayStation 3.
Sony wasn’t impressed, and launched legal action against Hotz, even though the main purpose of Hotz’s reverse engineering seems to have been an attempt to allow PS3 owners to run alternative operating systems such as Linux or FreeBSD on their own devices.
(Sony used to allow users to install their own software on PlayStations through an feature descriptively known as OtherOS, but ultimately removed the option, making the PS3 a locked-down system in the fashion of a device such as the iPhone.)
As you can imagine, Sony’s reponse didn’t go down well in the hacking and modding (short for modification) community.
Ultimately, as far as we can tell, Sony settled its legal wrangle with Hotz pretty much on the basis that he would give up on PlayStations, retire all his Sony hardware to a box in the cupboard under the stairs, and not hack on it again.
Well, both the hacking scene and the industry have moved on since then, with the finding and responsible disclosure of exploitable security holes now a respectable and often very well paid job in cybersecurity.
Indeed, Hotz himself went on to achieve successful exploits against both Adobe Acrobat Reader and Firefox at the PWN2OWN competition, where entrants publicly target mainstream products such as document readers and browsers to prove that they can bypass the security protection of those products and win (often substantial) cash prizes.
Bug bounty hunting
Of course, bugs-for-money programs, generally known as bug bounties, aren’t just free-for-all exercises.
There are generally very strict rules of engagement, notably that getting paid depends on a series of things:
- You can’t break the law, or use morally dubious or manipulative methods, to carry out your hack. For example, calling up an employee of the vendor and trying to trick or bribe them into helping you is out, as is cracking into someone else’s account to get hold of insider information.
- You have to be the first person to find the bug you are claiming payment for. This may sound a bit harsh, especially when two researchers working entirely independently just happen to find the same complex security hole at almost the same time after months of hard work. But bug bounty hunting is, at heart, a competitive market, and winner-takes-all is the easiest way for a vendor to avoid the problem of two researchers covertly colluding for extra money. It also encourages researchers to hunt more widely for security holes, including obscure ones that might otherwise get overlooked by everyone.
- You mustn’t probe for holes in a way that is likely to harm or inconvenience others. Especially when looking for bugs in online services, bounty hunters are expected not knowingly to crash live systems in order to further their efforts or extract data for their research. Peeking at confidential data along the way is also unacceptable. (This probably violates the first condition anyway, given that unauthorised access is illegal in most countries, but many bug bountry programs make the point about “no peeking” separately.)
- You have to hand over full and frank information about the bug to the relevant vendor. In return for paying up for the bug information, the vendor gets the first use of it in the hope of fixing the hole before anyone else – such as a cybercriminal – finds it. This is the responsible disclosure part of modern bug hunting. The vendor can’t sweep the problem under the carpet, because there’s a formal record of it being found and reported, but the details of the exploit are kept confidential for enough time to allow time for a patch to be prepared carefully and tested properly.
- You can’t tell anyone else how you did it until the vendor has had a fair time to fix it. Most bug bounty programs have a rule under which a reasonable timeframe is agreed for fixing the bug. 90 days is a popular period. This ensures that the vendor is motivated to fix the issue, otherwise it will be disclosed anyway, but it also stops information leaking out that could give the crooks strong hints on where to look while the bug is not yet patched.
Sony joins the club
Sony has now announced its own bug bounty programs for the PS4 and the PlayStation Network:
We believe that through working with the security research community we can deliver a safer place to play. We have partnered with HackerOne to help run this program, and we are inviting the security research community, gamers, and anyone else to test the security of PlayStation 4 and PlayStation Network. Our bug bounty program has rewards for various issues, including critical issues on PS4. Critical vulnerabilities for PS4 have bounties starting at $50,000.
We’re assuming that a critical PS4 vulnerability would be the sort of bug that allows remote code execution, or RCE, whereby an attacker could run untrusted code, implant malware – or, indeed, jailbreak the device.
Other critical vulnerabilities usually include bugs that allow attackers to extract private data such as cryptographic keys or other information that is vital to the security of the device or ecosystem.
Sony says that it has had a closed bug bounty program for a while – one in which selected researchers have been invited to take part – but the program is now open to all.
By the way, that $50,000 payout for a critical PS4 vulnerability is a minimum, so for a bug that offers a full, automated, “click here to jailbreak” attack, you can probably expect a fair bit more than that.
Over to you…
