PlayStation 3 used to hack SSL, Xbox used to play Boogie Bunnies
By Joseph L. Flatley 
posted December 30th 2008 5:41PM
posted December 30th 2008 5:41PM
Between the juvenile delinquent hordes of PlayStation Home and some lackluster holiday figures, the PlayStation has been sort of a bummer lately, for reasons that have nothing to do with its raison d'etre -- gaming. That doesn't mean that the machine is anything less than a powerhouse -- as was made clear today when a group of hackers announced that they'd beaten SSL, using a cluster of 200 PS3s. By exploiting a flaw in the MD5 cryptographic algorithm (used in certain digital signatures and certificates), the group managed to create a rogue Certification Authority (CA) which allows them to create their own SSL certificates -- meaning those authenticated web sites you're visiting could be counterfeit, and you'd have no way of knowing. Sure, this is all pretty obscure stuff, and the kids who managed the hack said it would take others at least six months to replicate the procedure, but eventually vendors are going to have to upgrade all their CAs to use a more robust algorithm. It is assumed that the Wii could perform the operation just as well, if the hackers had enough room to spread out all their Balance Boards.
[Via ZD Net]
[Via ZD Net]
so from all these article i now know my ps3 is a WMD. Please bush don't invade my dorm room. It's only one little PS3
Do you have any oil wells in your dorm room?
If not, I think you're safe! *ba-dum pshhhh*
Tip your waitress!
It's almost 2009 and you're still making George Bush and WMD jokes? Come on now.
@DWells55: It's not *yet* 2009/1/20.
@DWells55: It's almost 2009 and you *still* have troops in Iraq?
Meh. It's almost 2009 and we *still* have troops in Europe. Interesting story behind that one...
Jbuers, you snotty kids with the solar power cars really get to me. Hopefully the islamists get to you!
Now we know where all the PS3's sales came from.
Thank you so much Enigma for making that point. Too many people on both sides of the puddle forget that Europe would be nothing like it is today with out the U.S. I'm sick of all the ultra liberal - hippie - Bush bashers that know nothing about fact or history and yet they still open their mouths spouting their propaganda. Oh yeah and the PS3 is amazing.
Wow, this Alex guy thinks exactly like me. Good to see that not everyone on the internet is a retard.
@Alex
They (Third Reich & its ally) actually invaded other countries, Iraq did not.
At least half of the international community allied with U.S. (even Soviet Union), this is not true either about Iraq.
Let's face it. The Iraq war is not popular and it cannot have support as U.S. had in WWII
Ha ha and I'm glad, Anthony-E, that I'm not alone because it sure feels that way most of the time.
I'd like to ask: "is it just me or is the PS3 good at everything but gaming?"
but some asshole on engadget would reply "its just you" and get a Highest Ranked.
Therefore I will make a Declaritive statement.
THE PS3 IS GOOD AT EVERYTHING EXCEPT GAMING.
"Thank you so much Enigma for making that point. Too many people on both sides of the puddle forget that Europe would be nothing like it is today with out the U.S."
The US aren't in Europe for anyone else but themselves, it allows you to launch fighters/bombers during conflicts without the need of a carrier it also allowed (possibly still does) the storage of nukes during the cold war. It also allows you to ship people out to countries haven't banned torture in order to sidestep your own laws.
There are an awful lot of people who are greatful for the US's entry into WW II - albeit a late entry - but that does not excuse anything and everything the US does that is wrong. This Bush is not representative of your other presidents at all - this Bush is a dufus.
@FuzzyCat
The difference is, none of these European countries WANT the U.S. to leave. These military installations with thousands of soldiers and families have become a large part of their economies. A lot of towns in Germany would turn into dust-bowls if the U.S. military pulled out. Bush has actually THREATENED to pull our troops out of Europe when he doesn't get his way.
You know, you're not allowed to export systems like the PS3 or Xbox 360 to countries that sponsor terror right? It's illegal. Heck, even the PS2 made the list back in the day!
Hacking with a wii balance board, now that sounds like a movie from the 80s i would LIKE to see!
*girls* hacking on Wii balance boards
Woot im actually first, think they would give me one of those ps3's
You fail so hard it's funny.
+1 from me.
smh...it was my first time commenting, i woulda been first but I didn't kno i had 2 confirm lmfao...w/e now i kno
Worst comment ever. For multiple reasons.
certainly not useful...
....but ridiculously impressive
the knowledge of my sweet generation, we kick ass. :-)
aww man... i tried
At least someone found a use for the PS3.
Tool.
Actually, I do have Tool loaded up on mine.
@Game_playa
That fact that you take offense to my silly little statement shows us who the tool is...
this is just saaaaad. no one is playing their ps3.
I don't know why I checked but kjb you have 666 comments on engadget.
200 PS3's * $400 each = $80,000
Rich group of hackers maybe...
I could be wrong, but I'm pretty sure Sony has offered clusters at a wholesale discount to buyers like these; Scientists, unis, hackers and such
It's funded by a school from the Netherlands offcourse ;).
"I could be wrong, but I'm pretty sure Sony has offered clusters at a wholesale discount to buyers like these; Scientists, unis, hackers and such"
Yeah. I mean, it's not like anyone is using them for gaming. They have to do something with them.
A loss for Sony since those hackers don't intend to purchase any games or accessories for it, which is pretty much how console mfrs make a profit these days.
A result of collaboration of crackers using Cracking@home?
Question is thou.. How many dif companies have done that.. Bought Hordes of PS3 to use as a Super Computer..
So how INFLATED is that number sold due to these "PS3 Super Computers"
Try again Sony... Its not a game console its an F'in PC...
$80k... I'm pretty sure this was done with a lot less. After all, someone cracked WPA with an NVIDIA GPU. I'm really not impressed that it would take 200 PS3s to hack something. That doesn't exactly mean they are powerful. $80k could buy you one really powerful system far superior to 200 PS3 systems.
@mic2000
Which one? TU Eindhoven?
Assuming these were bought recently, at $50 per console, that Sony lose, this system costs Sony $1000. Thinking about it, every PS3 that is bought for these purposes ends up quite expensive for Sony.
I believe you meant to say $10000.
Yeh, damn typos!
..but what about the marketing value gained, free exposure to blog etc? To throw more numbers in the mix, according to Consumer Depot lower price for a 80GB PS3 is 349 USD or 69800USD for all 200 of them. Add some networking gear and time spent, this hack was a pretty major one. I bet Sony is very happy..
Doesn't really matter how much exposure they get in the press for this kind of thing. All it does is make more people want to buy the PS3 for this sort of job, NOT to play games. Which of course means that Sony loses more money per PS3 sold...
The other thing I'm wondering about though is how many of the PS3s that are sold each week are being used for projects such as this? This is certainly not the first time I've heard of PS3s used to do massive computing projects, so... any guesses as to the percentage of PS3s sold that are being used for their computing power and not for their gaming potential? I'm thinking 5%...
im no math genius, but sony would loose a whole lot more than $50 if you dont buy a ps3 in the first place! :)
@Charlie......
as those people surely dont go to 50 or so stores to pick up 2-4 PS3s then its not included in the NPD numbers.......
Yeah it can fold like a motha too.
If i am ever obscenely rich I am buying a clsuter of PS3s to fold@home till i cure all those diseases.
"the group managed to create a rogue Certification Authority (CA) which allows them to create their own SSL certificates"
Huh? It takes virtually no effort to create your own CA and even less to create your own SSL cert - did you mean to say that they recreated one of the valid standard CA's with their own info and then generated ssl certs from that?
Just my thought. The whole article didn't seem very impressive, neither necessitating 400 PlayStation 3. :P
According to the "Read" link:
Our attack scenario basically is as follows. We request a legitimate website certificate from a commercial Certification Authority trusted by all common browsers. Since the request is legitimate, the CA signs our certificate and returns it to us. We have picked a CA that uses the MD5 hash function to generate the signature of the certificate, which is important because our certificate request has been crafted to result in an MD5 collision with a second certificate. This second certificate is not a website certificate, but an intermediary CA certificate that can be used to sign arbitrary other website certificates we want to issue. Since the MD5 hashes of both the legitimate and the rogue certificates are the same, the digital signature obtained from the commercial CA can simply be copied into our rogue CA certificate and it will remain valid.
So basically, they got a regular website certificate. But by using the PS3s they created a certificate that can sign other certificates (the regular certificate is not allowed to do this!), and because the created certificate and the regular certificate have the same hash it is accepted. They need the PS3s to calculate a certificate that would have the same MD5 hash.