PlayStation 3 used to hack SSL, Xbox used to play Boogie Bunnies
By Joseph L. Flatley 
posted Dec 30th 2008 5:41PM
posted Dec 30th 2008 5:41PM
Between the juvenile delinquent hordes of PlayStation Home and some lackluster holiday figures, the PlayStation has been sort of a bummer lately, for reasons that have nothing to do with its raison d'etre -- gaming. That doesn't mean that the machine is anything less than a powerhouse -- as was made clear today when a group of hackers announced that they'd beaten SSL, using a cluster of 200 PS3s. By exploiting a flaw in the MD5 cryptographic algorithm (used in certain digital signatures and certificates), the group managed to create a rogue Certification Authority (CA) which allows them to create their own SSL certificates -- meaning those authenticated web sites you're visiting could be counterfeit, and you'd have no way of knowing. Sure, this is all pretty obscure stuff, and the kids who managed the hack said it would take others at least six months to replicate the procedure, but eventually vendors are going to have to upgrade all their CAs to use a more robust algorithm. It is assumed that the Wii could perform the operation just as well, if the hackers had enough room to spread out all their Balance Boards.
[Via ZD Net]
[Via ZD Net]
so from all these article i now know my ps3 is a WMD. Please bush don't invade my dorm room. It's only one little PS3
Do you have any oil wells in your dorm room?
If not, I think you're safe! *ba-dum pshhhh*
Tip your waitress!
It's almost 2009 and you're still making George Bush and WMD jokes? Come on now.
@DWells55: It's not *yet* 2009/1/20.
@DWells55: It's almost 2009 and you *still* have troops in Iraq?
Meh. It's almost 2009 and we *still* have troops in Europe. Interesting story behind that one...
Jbuers, you snotty kids with the solar power cars really get to me. Hopefully the islamists get to you!
Now we know where all the PS3's sales came from.
Thank you so much Enigma for making that point. Too many people on both sides of the puddle forget that Europe would be nothing like it is today with out the U.S. I'm sick of all the ultra liberal - hippie - Bush bashers that know nothing about fact or history and yet they still open their mouths spouting their propaganda. Oh yeah and the PS3 is amazing.
Wow, this Alex guy thinks exactly like me. Good to see that not everyone on the internet is a retard.
@Alex
They (Third Reich & its ally) actually invaded other countries, Iraq did not.
At least half of the international community allied with U.S. (even Soviet Union), this is not true either about Iraq.
Let's face it. The Iraq war is not popular and it cannot have support as U.S. had in WWII
Ha ha and I'm glad, Anthony-E, that I'm not alone because it sure feels that way most of the time.
I'd like to ask: "is it just me or is the PS3 good at everything but gaming?"
but some asshole on engadget would reply "its just you" and get a Highest Ranked.
Therefore I will make a Declaritive statement.
THE PS3 IS GOOD AT EVERYTHING EXCEPT GAMING.
"Thank you so much Enigma for making that point. Too many people on both sides of the puddle forget that Europe would be nothing like it is today with out the U.S."
The US aren't in Europe for anyone else but themselves, it allows you to launch fighters/bombers during conflicts without the need of a carrier it also allowed (possibly still does) the storage of nukes during the cold war. It also allows you to ship people out to countries haven't banned torture in order to sidestep your own laws.
There are an awful lot of people who are greatful for the US's entry into WW II - albeit a late entry - but that does not excuse anything and everything the US does that is wrong. This Bush is not representative of your other presidents at all - this Bush is a dufus.
@FuzzyCat
The difference is, none of these European countries WANT the U.S. to leave. These military installations with thousands of soldiers and families have become a large part of their economies. A lot of towns in Germany would turn into dust-bowls if the U.S. military pulled out. Bush has actually THREATENED to pull our troops out of Europe when he doesn't get his way.
You know, you're not allowed to export systems like the PS3 or Xbox 360 to countries that sponsor terror right? It's illegal. Heck, even the PS2 made the list back in the day!
Hacking with a wii balance board, now that sounds like a movie from the 80s i would LIKE to see!
*girls* hacking on Wii balance boards
Woot im actually first, think they would give me one of those ps3's
You fail so hard it's funny.
+1 from me.
smh...it was my first time commenting, i woulda been first but I didn't kno i had 2 confirm lmfao...w/e now i kno
Worst comment ever. For multiple reasons.
certainly not useful...
....but ridiculously impressive
the knowledge of my sweet generation, we kick ass. :-)
aww man... i tried
At least someone found a use for the PS3.
Tool.
Actually, I do have Tool loaded up on mine.
@Game_playa
That fact that you take offense to my silly little statement shows us who the tool is...
this is just saaaaad. no one is playing their ps3.
I don't know why I checked but kjb you have 666 comments on engadget.
200 PS3's * $400 each = $80,000
Rich group of hackers maybe...
I could be wrong, but I'm pretty sure Sony has offered clusters at a wholesale discount to buyers like these; Scientists, unis, hackers and such
It's funded by a school from the Netherlands offcourse ;).
"I could be wrong, but I'm pretty sure Sony has offered clusters at a wholesale discount to buyers like these; Scientists, unis, hackers and such"
Yeah. I mean, it's not like anyone is using them for gaming. They have to do something with them.
A loss for Sony since those hackers don't intend to purchase any games or accessories for it, which is pretty much how console mfrs make a profit these days.
A result of collaboration of crackers using Cracking@home?
Question is thou.. How many dif companies have done that.. Bought Hordes of PS3 to use as a Super Computer..
So how INFLATED is that number sold due to these "PS3 Super Computers"
Try again Sony... Its not a game console its an F'in PC...
$80k... I'm pretty sure this was done with a lot less. After all, someone cracked WPA with an NVIDIA GPU. I'm really not impressed that it would take 200 PS3s to hack something. That doesn't exactly mean they are powerful. $80k could buy you one really powerful system far superior to 200 PS3 systems.
@mic2000
Which one? TU Eindhoven?
Assuming these were bought recently, at $50 per console, that Sony lose, this system costs Sony $1000. Thinking about it, every PS3 that is bought for these purposes ends up quite expensive for Sony.
I believe you meant to say $10000.
Yeh, damn typos!
..but what about the marketing value gained, free exposure to blog etc? To throw more numbers in the mix, according to Consumer Depot lower price for a 80GB PS3 is 349 USD or 69800USD for all 200 of them. Add some networking gear and time spent, this hack was a pretty major one. I bet Sony is very happy..
Doesn't really matter how much exposure they get in the press for this kind of thing. All it does is make more people want to buy the PS3 for this sort of job, NOT to play games. Which of course means that Sony loses more money per PS3 sold...
The other thing I'm wondering about though is how many of the PS3s that are sold each week are being used for projects such as this? This is certainly not the first time I've heard of PS3s used to do massive computing projects, so... any guesses as to the percentage of PS3s sold that are being used for their computing power and not for their gaming potential? I'm thinking 5%...
im no math genius, but sony would loose a whole lot more than $50 if you dont buy a ps3 in the first place! :)
@Charlie......
as those people surely dont go to 50 or so stores to pick up 2-4 PS3s then its not included in the NPD numbers.......
Yeah it can fold like a motha too.
If i am ever obscenely rich I am buying a clsuter of PS3s to fold@home till i cure all those diseases.
"the group managed to create a rogue Certification Authority (CA) which allows them to create their own SSL certificates"
Huh? It takes virtually no effort to create your own CA and even less to create your own SSL cert - did you mean to say that they recreated one of the valid standard CA's with their own info and then generated ssl certs from that?
Just my thought. The whole article didn't seem very impressive, neither necessitating 400 PlayStation 3. :P
According to the "Read" link:
Our attack scenario basically is as follows. We request a legitimate website certificate from a commercial Certification Authority trusted by all common browsers. Since the request is legitimate, the CA signs our certificate and returns it to us. We have picked a CA that uses the MD5 hash function to generate the signature of the certificate, which is important because our certificate request has been crafted to result in an MD5 collision with a second certificate. This second certificate is not a website certificate, but an intermediary CA certificate that can be used to sign arbitrary other website certificates we want to issue. Since the MD5 hashes of both the legitimate and the rogue certificates are the same, the digital signature obtained from the commercial CA can simply be copied into our rogue CA certificate and it will remain valid.
So basically, they got a regular website certificate. But by using the PS3s they created a certificate that can sign other certificates (the regular certificate is not allowed to do this!), and because the created certificate and the regular certificate have the same hash it is accepted. They need the PS3s to calculate a certificate that would have the same MD5 hash.
WTF!? Are they actually trying to imply they've cracked the MD5?
No, they've exploited a weakness in the program that created it. Reverse-engineering really, cutting down the number of md5-sum:s potentially created. I think.
No, they haven't cracked MD5... I'm pretty sure cracking MD5 is still a long ways away. What they did was exploit a vulnerability that was discovered in recent years that allows you to easily find colliding hashes (i.e. two different things that produce the same hash).
See: http://en.wikipedia.org/wiki/Birthday_attack
I could do that with my Nokia smartphone, if it got enough time.
pshh.
i *so* did that last month with the iSSL app i dl'd to my iphone.
/sarcasm
My point, witch apparently flew over you head, wwas that this can be calculated with any platform, it's just a matter of time, and does not prove the cell to be better or something.
YES, it do can be done with a cellphone. But it will take like, forever
Which, uh, DOES prove the cell processor to be better. Take 400 of your Nokia phones (or 400 iPhones) and try to do the same thing and it'll take a lot longer to do it than with 400 PS3s. Probably by a factor of 10 or more.
Just because you CAN do it on your cell phone doesn't mean that your cell phone is just as good as a cell processor as this sort of stuff (or really, at anything...).
Doesn't the ability to do the same thing in less time make it better suited for a task? ¯\(o_º)/¯
Hmm, I guess all these newfangled quad core processors aren't really better than a Pentium 1. Darn marketing hype, I could just start booting up and go watch a movie, they're not really better.
I mean, feel free to hate on the PS3 or Cell, just saying ...
I can't see why you have a hard time understanding what I wrote. I did'nt say that Ps3 sucked, all I said what that whatever they computed can be computed on any platform (xbox, arm, pc, sega), and there's nothing special about cracking using this one.
"Just because you CAN do it on your cell phone doesn't mean that your cell phone is just as good as a cell processor as this sort of stuff"
Eh, no, did I said so?
"Hmm, I guess all these newfangled quad core processors aren't really better than a Pentium 1"
Intel processors is another discussion, because your fancy quadcore really isn't more then a whole lot of 486es bundled together. Same with any Intel processor.
Oh. For a minute I thought the picture explained the douchebag majority in Home.
I thought this was about transport security anyway? I wouldn't put my details in a site I didn't think was reputable even if it was https.
This is not about transport security, it's about website verification. If I understood it correctly, the transport will still be secure (well, as secure as usual), but through this hack, they can 'certify' websites that are not legitimate. So you can communicate securely with a website that was set up by a scammer or whatever.
Given that all you basically need is a maildrop and fake headed notepaper to get a 'legitimate' certificate, I'm not sure how useful this is precisely, but possibly you can also set up the certificate details to make your paypal.securitycheck.info phishing site show the little green thingy in Firefox that says 'Paypal Inc, US'.
If you aren't running a phishing operation, you could also save yourself money in not having to purchase SSL certs from a vendor... but you could buy an awful lot of SSL certs for the price of 200 PS3s.
Couldn't this be done faster/more efficiently with just a whole bunch of Nvidia GPUs?
Depends on the precision needed.
But can it play Crysis?
OK that's a bit old.
no! bad comment! bad!!
WOOT! Go PS3!
Is it bad that my first thought at seeing the picture was, "who did that crappy cable job?"
Seems like the Cell processor is doing some nice work in the computing field. Can't wait till game developers actually figure out how to use it to it's full potential.
The Ps3 is just like a regular computer. CPU's are bad at floating point calculations and other aspects of 3G gaming. Its the GPU that is responsible for anti aliasing and all the monitor/visual related aspects of a game. The PS3 is an underpowered system in terms of GPU and overall RAM/Video RAM. That's why 360 kicks its ass in actual graphics despite being less of a machine in terms of processing.
I hope the next generation of Consoles is at least twice as powerful as current PC's that can run Crysis on Very High mode.
Of course, they are gonna DESTROY electric bills unless they get 45nm (or less )process CPU's.
Show me a game that looks like this on 360:
http://www.youtube.com/watch?v=lYIp3fUXxsM&fmt=18
http://talkplaystation.com/killzone-2-e3-2005-vs-playstation-day-2008/
You're complaining about the PS3 being just a regular computer? The 360 is even more so. At least the PS3 has an amazingly powerful CPU in comparison.
I would not call anyone with access to 200 PS3 "a group of kids" or "hackers." This is called organized crime. Then again, it was done in order to highlight the vulnerabilities of our current SSL system. So, it's all good.
They weren't "kids", and yes, they were hackers. You can check the lead guy's blog in fact to see the various things he's done; www.phreedom.org
Where are these hackers getting this money to buy 200 PS3s??
Selling drugs.
they are hackers........so maybe........an account of 4 they hacked?? maybe yours
They didn't.
http://www.win.tue.nl/~bdeweger/PS3Lab/
anyone suspect that these PS3s "fell off a truck"? I mean, come on, who the hell would BUY that many?
hackers
The way I see it, if they were good hackers, they could TRICK the stores into delivering them PS3's and screwing their records up to make it look like they actually bought them.
Frankly, the PS3 is an impressive piece of COTS equipment. It is a much more refined piece of hardware than the 360. Clearly the most versatile of the current gen gaming consoles. I don't understand all the hating on the contraption.
Price. Oh, and the army of Xbox360 fans who would defend their red ring box to death because they know it's terrible hardware.
Eh, they stuck my reply under the guy above instead of here. BORDERS!!! I need borders!
I thought it was pretty obvious why people buy the 360 over the PS3, because most people just want to play games and aren't willing to pay $400+ when they can get basically the same games minus the bells and whistles for $100-$200 less.
@Mitch
Um, did he ask why more people buy one of the consoles over the other? No, he did not. He asked why people choose to hate on the console so much. Nobody cares about your completely nonfactual opinion on why you think the 360 "sells more".
Now, to answer your question Viator, my guess is that it's a mix of disappointment that they can't afford the console with some buyer's remorse of owning an inferior "next-gen console".
oh Engadget, you made me laugh with the last line. Put on some virtual reality googles and mix it with the balance board and you got.....Tron. :P
Because the jerks sold a GAMING console for nine hundred bucks and when asked how they thought their target market could afford it the president of the company pretty much went on record with, "Ehhhh, suck it. They'll buy and they'll kiss our collective butts for it!"
Or so I guess.
Sony should add a 22inch LCD/LED monitor, Full size keyboard, Swap the PS3 Blu Ray player to a burner, add a Bigger HD and system RAM, and sell the whole lot as a package. Oh and make the PS3 case, Keyboard and monitor in metalic red.
Silly idea I know but it would be fun to see it for real in a lab working hard.
....so make it a janky PPC computer?
Will they blend?
If they're all bone and flesh, then yes, they will blend.
Androids on the other hand, they are tough. (No bad pun intended)
What discount is Sony offering scientists and the like that are buying a lot of them for clusters?
I assumed the scientists were just picking them up at Wal-Mart...lol
"...a group of hackers announced that they'd beaten SSL, using a cluster of 200 PS3s"
They accounted for 50% of PS3 sales this holiday season =).
ummmmmmmm no........as thats not INCLUDED in NPD data.............fucking trolls.........
It is if they bought it in any retail store.
I highly doubt they went to about 40 retail stores buying PS3s (assuming that each store doesn't allow them to buy more than 5 consoles).
What store would'nt want sell 200 PS3s in one chunk?
Well quite frankly I don't see the big deal, I imagine if someone link 200 quadcores or even dual cores together they could do the same thing. Big frackin deal? who gives a damn? As stated earlier this is publicity even bad publicity is beneficial for boosting sales, to not only people getting the system for the deeds shown in this article but as well the average joe, the more hype and publicity something has the more people buy it. Why? Because it's the trendy thing to do! the same reason world of warcraft is so big, because it is mainstream and "trendy".
Anyone with an issue with anything I have said don't expect a response to any comments made. I neither have the time or the care to reread this article.
I found the answer: the hackers don't own the PS3's..
They were borrowing time on a research labs cluster (specifically 18hrs):
http://www.win.tue.nl/hashclash/rogue-ca/
"We had about 200 PS3s at our disposal, located at the "PlayStation Lab" of Arjen Lenstra at EPFL, Lausanne, Switzerland "
"Managed and acquired by Arjen Lenstra's Laboratory for Cryptologic Algorithms (LACAL) with funding from EPFL's Domaine IT and a matching funds grant from the Fonds National Suisse de la Recherche Scientifique, in collaboration between LACAL, the Laboratoire d'ingénierie numérique (LIN) and the Centre de Recherches en Physique des Plasmas (CRPP)."
its almost 2009 and we still have troops in korea