PS3 Root Key Broken

News just in is that the Root Keys used to sign content for the PS3 has been broken by ~geohot:

erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70

This is big news as it seems that this key is built into the hardware and can’t be changed.

More info on this issue at Kotaku.

How many 27001 standards?

Please wait for a site operator to respond. You are number 1 in the queue. Your wait time will be approximately 0 minute(s) and 30 second(s).
You are now chatting with ‘Tim’
Your Issue ID for this chat is LTK16502038781X
Tim: Welcome to our Live Chat service.  How can I help you?  Are you or your company an ANSI Member?
you: Hi there Tim. I’m looking to buy PDF versions of ISO27001 and ISO27002 but am a bit confused.
you: there seems to be quite a few versions of both starting at $30 and rising to a few hundred on your ANSI website

you: so for example there is BS ISO/IEC 27001:2005/BS 7799-2:2005 for $144

you: and INCITS/ISO/IEC 27001-2005 for $30
you: and Information Security Package 27001 for $50
you: so I’m somewhat confused.
Tim: There are many adoptions of these standards by other standard developing organizations.  The original standards have the following designations:  ISO/IEC 27001:2005 for $129 and the ISO/IEC 27002:2005 for $206.  Or, you could purchase the two original documents together in the “ISO/IEC 27001 and 27002 IT Security Techniques Package” at a discounted price of $295. 
you: um, so what is the $30 version?
Tim: The $30 version is the INCITS adoption of the ISO/IEC 27001 and ISO/IEC 27002 standards. 
you: and will be completly different?
you: or the words are the same and the header is different
Tim: We can’t say that there hasn’t been changes made to the orginal document.  You will need to contact INCITS for clarification.  
you: but how can it be ISO27001 if they have changed anything?
Tim: That is an agreement between ISO and INCITS.  ANSI does not review the adoptions for changes.  If you’re unsure of the adopted standards, we recommend purchasing the originals by ISO.  
you: but on the INCITS Website it says that the INCITS version is ANSI approved. Thats’ you?
Tim: It has been ANSI approved as an adoption of the ISO/IEC 27001 and ISO/IEC 27002.  
you: so that must mean that its an acceptable document
you: i.e. ANSI considered it to be not different to the ISO version?
you: I’m just trying to work out if I’m paying $99 more for the same thing.
Tim: You will need to contact INCITS to determine if any changes have been made.  ANSI does not review the body of the standard when it is adopted.   
you: that does not make any sense. you are saying that ANSI adopts a version of a document that might be completely different to the thing it purports to be?
Tim: ANSI does not adopt standards.  INCITS adopted the ISO/IEC original document.  ANSI approved the adoption but did nto review if any changes were made to the document.  ANSI is not the copright holder of the document.  You will need to contact INCITS if you want to find out if changes were made to the document by INCITS.  
you: okay. It soundss really odd to me that from you I can buy about 5 different versions of 27001 and you don’t know whats in any of them except the ISO version.
you: I will indeed contact INCITS
Tim: Thank you.  I’m sure INCITS will be able to answer your questions regarding their adoption of the ISO/IEC 27001 and ISO/IEC 27002.  
you: thanks Tim. This has been my weirdest conversation for many weeks!

Rock Band 3 #FAIL

Rock Band 3: A great game idea let down by not being properly finished and by awful support.  I bought this game because the blurb said that all the previous Rock Band titles supported song export. Not only is this not correct but the export features of Rock Band 2 and Lego Rock Band are broken and you cannot get these songs into Rock Band 3.  Rock Band Beatles will not export at all. Couple this with the incomplete on-line experience – game linking is advertised but broken – and you have yourself a classic game to avoid for now. 

As if game problems were not bad enough:  the hardware is now made by Madcatz.  Those are the same people that bought you Drum Kit Dampers that made drums louder and plastic drum stick which break when you play the drums.  Yuck!  do yourself a favour, ignore this game until the problems are fixed.  Play some Guitar Hero!  If you don’t have any of the RB series and simply have to buy one, buy RB the original first, it’s really cheap now and all the bugs are ironed out.

US Copyright Office: Finally Something Smart

The US Copyright office just published their 3 yearly update to the US copyright law and they have finally seen some sense and provided some exclusions for the DMCA.  This is really big news as finally there is some consumer protection provided.

Citizens in the UK we can only hope for similar sanity at some point. Read on for the details of the exclusions.

The six “classes” now exempt from prosecution under the DMCA are:

1. Defeating a lawfully obtained DVD’s encryption for the sole purpose of short, fair use in an educational setting or for criticism

2. Computer programs that allow you to run lawfully obtained software on your phone that you otherwise would not be able to run aka Jailbreaking to use Google Voice on your iPhone

3. Computer programs that allow you to use your phone on a different network aka Jailbreaking to use your iPhone on T-Mobile

4. Circumventing video game encryption (DRM) for the purposes of legitimate security testing or investigation

5. Cracking computer programs protected by dongles when the dongles become obsolete or are no longer being manufactured

6. Having an ebook be read aloud (ie for the blind) even if that book has controls built into it to prevent that sort of thing.

expect to see editorial content popping up all over the net discussing this.

See here for the Library of congress link.

 

HOORAY! SCO Are Finally Sunk!

After 7 years of FUD, FUD, FUD, SCO lost the most important case today: They do NOT own the copyrights to Unix.  This means that all the other lawsuits will collapse almost instantly.  Poof.  Luckily SCO will go down the tubes too and that will be that.  Excellent.  Finally.  Phew. http://www.novell.com/prblogs/?p=2153

When Danger is an apt name!

Microsoft\Danger and T-Mobile don’t seem to have quite got the cloud concept yet.  Yes it’s true that cloud users don’t have to worry about ther data – it’s all safely tucked away somewhere and your cloud provider sorts it all out.

Alas it seems that Microsoft\Danger got a bit confused during Cloud Computing 101 and went away thinking that no-one had to worry about the data.  So they didn’t.

They have come clean on the T-Mobile website and told SideKick users not to turn off the devices as the data now lives nowhere else.  In a cruel extra twist, the SideKick Devices are useless now as just about everything it does requires the cloud – it retains nothing at all during reboot for example.

The T-mobile article is here. In the meantime you would be right if you were really nervous about trusting these guys with your data!

It seems that the only person to show incredible foresight was the person that came up with Danger as the name of the company.

Microsoft have had a couple of years now since they acquired Danger to make the services offered resilient.  Seems that they failed.  Epic Fail.

Oh and BTW, Azure, Microsofts flagship cloud OS launches in a month or so.  What-Could-Possibly-Go-Wrong.

Certificate Fingerprints

There have been some very nasty certificate based vulnerabilities announced recently and these amount to an attacker being able to act as  MITM (Man In The Middle) on pretty much any SSL conversation.  All the attacker has to do is insert themselves somewhere in your traffic chain between you and your target web site.

As these vulnerabilities turn into real exploits, you should be really really really (got the picture?) careful what sites you log into and give your personal info to.

The nature of these attacks will mean that your browser is completely fooled into thinking it is talking to the real PayPal.com or Ebay.com. When spoofed, you will most likely experience normal logon and purchasing, but your details are phished for future use.  Even certificate verification checks such as CRL, OCSP Validation and path validation will work as you would expect.  Nasty.

I suggest therefore that for the next few weeks, while we see how bad this really is, you check independently the certs of all sites that you need to log in to.

I have printed out the SSL certs for the sites that I use often so I can check them for myself, but you may want to use this article which has the cert hashes for 4 common sites, PayPal.com, Amazon.com, eBay.com and of course, TurboTas.co.uk.

It would be very hard for an attacker to make the fake cert match these hashes, so that’s what you need to check. Bear in mind though this web page could be MITM attacked too, so unless you know your connection to turbotas.co.uk is unspoofable, don’t trust this source either as the pictures could be replaced.

The best bet all around is for you to print out every cert you encounter for the next few weeks and every time you revisit a website, check the cert against your hard copy.  read on for the certs.

 

 

 

Amazon.com

eBay.com

PayPal.com

TurboTas.co.uk

Google

Yahoo

Amazon Kindle comes to the UK

Two years after the release in the US of the Amazon Kindle, the device finally makes its way to the UK!  As from today you can buy the gadget from Amazon.  this is a special version for the international market with tweaks to ensure it can get network connectivity.

It’s not all good news though – because the international version is a special build, you can only get the Kindle 2, not the DX with the nice screen.  Oh well – I suppose we can’t have everything.

Also bear in mind the Orwelian remote deletion feature which Amazon got slated for earlier in ’09 and maybe you will think twice before you part with your cash.

I’ll put one on my wish list for xmas and can always delete it if the early UK reviews are not encouraging!

 

 

FOTA Breakaway Calendar

The Guardian has an article today with the proposed schedule for th Formula One Breakaway series, and it looks like a doozy with some great circuits on offer.

The full FOTA 2010 schedule, as published in The Guardian, is as follows:

7 March Buenos Aires Argentina Last hosted F1 in 1998
21 March Mexico City Mexico Last hosted F1 in 1992
11 April Jerez Spain Last hosted F1 in 1997
25 April Portimao Portugal Never hosted F1
2 May Imola San Marino Last hosted F1 in 2006
23 May Monte Carlo Monaco Current F1 host
6 June Montreal Canada Last hosted F1 in 2008
13 June Indianapolis United States Last hosted F1 in 2007
11 July Silverstone United Kingdom Current F1 host
25 July Magny-Cours France Last hosted F1 in 2008
15 August Laustizring Germany Never hosted F1
29 August Helsinki Finland Never hosted F1
12 September Monza Italy Current F1 host
26 September Abu Dhabi United Arab Emirates Current F1 host
10 October Marina Bay Singapore Current F1 host
24 October Suzuka Japan Last hosted F1 in 2006
7 November Adelaide or Surfers’ Paradise Australia Last hosted F1 in 1995/Never hosted F1

More News over the next couple of days.  Todays update is that the FOTA president appeared in front of the WMSC today and told them unequivocally that the breakaway series will go ahead.

It seems like the FOTA teams are adamant that the budget savings are needed and that it;s the huge slice that F1 Commercial Rights holder gets that they want o get rid of!  Roll On FOTA!

 

Formula One Hits Self Destruct Button

The Self destruct Button was well and truly thumped last night when the deadline passed for unconditional entries into the 2010 Formula One series without all but one of the big teams being signed up for 2010.

The FIA and FOTA have been wrangling for years about the commercial, political and technical management of Formula One.  This has all come to a head recently, when FIA president, Max Mosley tried to enforce a budget cap on the teams. This budget cap is perceived by Mosley to be critical to the survival of the sport as the huge largess of the teams is not considered by him to be appropriate in the present financial climate. The teams all fight back with claims that their budgets are huge due to the large volumes of rule changes which Mosley makes to try and make the sport more entertaining.

In addition to budget constraints, it is clear that Max has been trying over the last few years to homogenize the cars to a single chassis, single engine series and with most of the big manufacturers either being or being sponsored by car companies with their own engines, it is clear that this was always going to end in tears.

FOTA announced last night that they are dismayed that their arguments against the budget caps have been ignored and they announced that they would begin planning a breakaway series with immediate effect:

Silverstone, 18 June 2009 – Since the formation of FOTA last September the teams have worked together and sought to engage the FIA and commercial rights holder, to develop and improve the sport.

Unprecedented worldwide financial turmoil has inevitably placed great challenges before the F1 community.  FOTA is proud that it has achieved the most substantial measures to reduce costs in the history of our sport.  

In particular the manufacturer teams have provided assistance to the independent teams, a number of which would probably not be in the sport today without the FOTA initiatives.  The FOTA teams have further agreed upon a substantial voluntary cost reduction that provides a sustainable model for the future.

Following these efforts all the teams have confirmed to the FIA and the commercial rights holder that they are willing to commit until the end of 2012.  

The FIA and the commercial rights holder have campaigned to divide FOTA. 

The wishes of the majority of the teams are ignored. Furthermore, tens of millions of dollars have been withheld from many teams by the commercial rights holder, going back as far as 2006. Despite this and the uncompromising environment, FOTA has genuinely sought compromise.

It has become clear however, that the teams cannot continue to compromise on the fundamental values of the sport and have declined to alter their original conditional entries to the 2010 World Championship.

These teams therefore have no alternative other than to commence the preparation for a new Championship which reflects the values of its participants and partners.  This series will have transparent governance, one set of regulations, encourage more entrants and listen to the wishes of the fans, including offering lower prices for spectators worldwide,   partners and other important stakeholders.  

The major drivers, stars, brands, sponsors, promoters and companies historically associated with the highest level of motorsport will all feature in this new series.

Note to Eds: Statement issued by FOTA on behalf of BMW-Sauber, BrawnGP, Scuderia Ferrari, McLaren-Mercedes, Red Bull Racing, Renault, Scuderia Toro Rosso, Toyota.

The FIA responded in what is becoming standard Formula One practice with the words ‘See you in Court’.  At the heart of this threat are the private agreements that the FIA have direct with some of the teams to be involved in the sport in the future.

Particularly interesting is the fall from grace of Ferrari, who has previously been able to exert some kind of mystical hold over the sport, with the press release on the FIA website summing up the FIA position:

19/6/2009 The FIA’s lawyers have now examined the FOTA threat to begin a breakaway series. The actions of FOTA as a whole, and Ferrari in particular, amount to serious violations of law including willful interference with contractual relations, direct breaches of Ferrari’s legal obligations and a grave violation of competition law. The FIA will be issuing legal proceedings without delay.

So far, the spinoff series is likely to involve:

  • BMW Sauber;
  • Brawn GP;
  • McLaren;
  • Renault;
  • Red Bull Racing;
  • Ferrari;
  • Toro Rosso;
  • Toyota.

It’s not presently clear what the position of Williams is in all this.  They alone of the FOTA members have submitted an unconditional entry for next year.

This may simply be that they have nothing to lose: Without a championship winning car for the last few years, this may be a great way to get back to the front of the grid if the present big guns go elsewhere.

What remains to be seen is if the breakaway series becomes the new motorsport pinnacle. With the FIA controlling budgets, technical innovation, pre season testing, engine performance and tires, the thing this is clear is that the breakaway series looks like it might be able to bring back the true innovation that in the past has bought us 6 wheels cars, side skirts and a host of other groundbreaking performance enhancing parts.

We certainly live in interesting times – May be wise not to book seats for a 2010 F1 venue just yet!