Deep Insecurity
PS3's security failure marks an unhappy new year for Sony and raises questions for every console maker.
In Sony's defence, it's worth noting that the PS3 has managed to retain its security for far, far, longer than any other console in recent memory. Until the launch of the "PS3 Jailbreak" last summer - which was rapidly neutered by firmware updates - the console's defences remained unbroken. Even in the wake of the apparently catastrophic security breach of the past week, that represents an excellent record.
It's worth asking, however, why exactly that security remained in place for so long. The hackers at Fail0verflow have a simple explanation - at launch, the PS3 catered to hackers and hobbyists by allowing them to run the Linux operating system through the OtherOS functionality. Even though this wasn't something which large numbers of consumers exploited, it was enough to satisfy the small number of people who wanted the ability to use their hardware in this way. More importantly, Fail0verflow argue that it also kept the PS3's security off the hacker radar, since there was almost no legitimate reason for them to break into the console.
Taking a cynical - or perhaps realistic - standpoint, these arguments seem a little over-simplified and idealistic. There's no question but that plenty of people were attempting to break the PS3's security systems long before the ability to run Linux was removed by Sony. Mod chips and other such hacks are, after all, a big business as much as they are a hobbyist enterprise, and a great many people who work on cracking security are motivated by money, not by idealism.
On one front, however, it's hard to argue with Fail0verflow's logic. Sony's removal of Linux support from the PS3 Slim and subsequent deletion of OtherOS functionality from the original PS3's firmware was seen as a red flag to a bull within the hacker community, and activity on cracking the console's security unquestionably intensified in the wake of those actions. Many hackers who had never contemplated investigating Sony's security systems and probably never even used PS3 Linux were incensed - here was a system which provably had a working version of Linux, but which had been prevented from running it. This is exactly the kind of challenge which the hacker mindset relishes.
As a consequence, it's quite likely that more talented hacker groups, who had previously ignored the PS3, became interested in the problem. It seems that there's a two-tier system in place in the hacking community - there are the seriously clever, inventive people who investigate security systems and uncover their flaws, and then there are those who take those flaws and build products (mod chips, firmwares and so on) which exploit them for the purposes of piracy. While Sony maintained Linux on the PS3, those in the former group steered clear, for the most part - and those in the latter group simply weren't talented or knowledgeable enough to crack the security on the console.
There are other factors at play here as well, of course - and it's worth recalling that Sony originally removed Linux from the platform's firmware after exploits posted by famed iPhone hacker George Hotz suggested that OtherOS could be a viable vector for hackers attacking the system. However, the timing is hard to ignore - and it raises some interesting questions for securing future consoles.
OtherOS functionality seemed like a lame duck on the PS3 - it was relatively tricky to set up and used by a tiny, tiny fraction of the console's user-base, who were also likely to be the kind of people who bought the hardware and never purchased games for it, making them into a net loss to Sony. However, we must now ask whether what Sony actually bought for itself with OtherOS functionality was the goodwill of the hacker community - a four-year grace period without piracy.
Much of what I wrote about Sony in 2010 focused on the transition inside the company as the firm learned from the mistakes and excesses of the engineering-led Ken Kutaragi era and shifted its focus to being software-led and developer-friendly. That's a change which is still underway, and is still a net positive - but perhaps the dropping of OtherOS, a Kutaragi-era feature if ever there was one, was a major misstep during the process. If engineers understand one thing, it's the engineering, "hacker" mindset - and OtherOS' function, in the end, may have been to satisfy that mindset.
Other console makers, as well as Sony itself, could do well to watch and learn. If providing a sufficiently expansive walled garden for hackers to play with - and a somewhat limited and closely monitored version of Linux seemed to do the trick nicely - can actually ward off piracy for several years, is it not a reasonable price to pay? If the hackers who are actually skilled enough to break this kind of complex security are really interested in open hardware rather than piracy, doesn't it make sense to stop treating this as a war, and try to meet them halfway? As Sony faces the stark prospect of a 2011 with the PS3 utterly bereft of security, these are questions every hardware manufacturer ought to be asking.
If you work in the games industry and want more views, and up-to-date news relevant to your business, read our sister website GamesIndustry.biz, where you can find this weekly editorial column as soon as it is posted.