[The main article is written by Gregory Hutto. Editors responses to the issue follow.]
The PlayStation Network outage is a complicated matter, shrouded in years of tension between the modding/hacking community and powerhouse Sony Entertainment. Ever since Sony announced that backwards compatibility and Other OS feature would no longer be available on the PlayStation 3, a wedge has been driven between Sony and many of its consumers. It may be that very wedge that would spell out a hacker onslaught that lead to the PSN outage of April 22nd. It’s coming to an end now, as the PSN is going live for many users, but it’s important the facts be clear. With the truths being so obscured and many unknown, it’s important that opinions be clearly made and attainted. With that in mind, Vagary is proud to present a concise account of the known and unknown of the PSN Outage debacle, along with some educated and varied reactions.
The Facts – All Known and Unknown
For those not in the know of the facts in the Playstation Network outage, the PSN outage is at the hands of a group of unknown hackers. A while back, a hacker named George Hotz, under the alias of “GeoHot”, found a security flaw in PlayStation’s design, in which a security firewall code was the exact same code on every console. In an effort to deter potential hackers, Sony motioned to get a legally obtained document with a list of all the IP addresses that had visited Hotz’s website displaying this code. While Sony knew this list wouldn’t be granted to them, they did it for the sake of posterity; they did it to intimidate those who worry that their curiosity may best them in form of a large company’s legal hammer.
Sony was successful in scaring off numbers of would-be hackers from obtaining the information by convincing them that “Big Brother” would be watching. This greatly upset members of the Internet hacker conglomerate, Anonymous. It’s Anonymous’ position that those who sought out the information are entitled to do so, and by Sony obtaining their IP addresses, knowledge-seekers’ privacy is being compromised.
From a legal standpoint, those who sought out this hack code are indeed legally sound in their efforts. While it is illegal to reverse engineer protected hard, firm and software — like that of the PS3 — it is not illegal to seek out information on how do so for educational purposes – i.e. you can learn how to do hack protected materials or teach someone to, but you can’t actually do it. The idea behind this “loophole”, if you will, is that many can learn from security exploits and how to overcome them, should they want to apply their knowhow in a professional or personal atmosphere.
Even though Sony’s effort in obtaining a visitors list is seen merely as a gesture, Anonymous released a statement of their disgust in Sony that coincided with the compromise of certain Sony networks. Anonymous’ release didn’t explicitly state that they had caused the outage of Sony’s services, but did imply that Sony would be held accountable for “attacking” the hacker community and infringing upon Internet privacy.
With the first few outages, Sony started to reintroduce their network nearly right away. Many PSN users had made rumblings on the Internet, stating that they’d rather not have the PSN hacked, as Sony has plenty of personal information and many rely on the network for online gameplay. Anonymous later retracted their statement against Sony, but stated that Sony was still wrong in their actions. However, that would not be the end of it.
Just as things looked to be calming down, the entire PlayStation Network was compromised. Uncertain of who to blame, a lot of users assumed that Anonymous had indeed hacked the PSN. Anonymous first denied involvement, but it’s largely speculated that while Anonymous as a whole isn’t “officially” behind the attack, members of Anonymous may have gone through with a planned attack anyway. Sympathizers justify the attack on the premise that removing features like Other OS, the option to use Linux on a PS3, makes for a resistance against users, modders and hackers. Some feel as though their community is being attacked time and time again for the futile, guised effort of resisting piracy.
While the first attack seemed to make certain services malfunction, this attack led to Sony shutting down the entire network on April 20th of 2011. Sony had issued a statement that acknowledged that “some specific information appears to be stolen.” In effort to minimize damage to their network and keep any yet unattained information, Sony stated that the PSN would be down until their security was improved and far stronger; strong enough to endure any other potential attack.
It is now May 12th, and Sony has yet to reintroduce the PlayStation Network. Since the attack, many people have expressed concern over their potentially threatened personal information, including credit card information, home addresses and more. With the identity of the hackers and their motives unknown, this makes for a very uneasy time. There are also many others upset, simply for the fact that the online service is unavailable. At this point, no one is able to obtain new content, updates or play online with other users.
Sony claims that they are doing their best to get the network back up in full functionality as soon as possible, but they are unable to say when that will be. Though the PSN is now being slowly reintroduced, Sony has come under a lot of criticism for having a system that is seemingly overly-vulnerable. Many publications have uprooted statements that suggest Sony knew of their security flaws but did not address them, as they should have more timely done so.
Though as stated, the PSN is being reintroduced to many of its users in limited functionality. It’s unclear when the PSN will be available to everyone in full form, but it’s been suggested by some sources that it may be fully live as late of May 31st. Sony promises to offer a program that rewards its users – “The Welcome Back Program — for their patience by providing a 30-day free trial of PlayStation Plus and additional content for MMO players. Sony has been corresponding with the US House of Representatives, releasing press statements and more. As of yet, there are no reports of credit card fraud, but Sony has stated that credit card fraud will be insured and all replacement cards and processes will be paid for. The investigation is ongoing.
Kyle Baron, Executive Editor — As of this writing, there isn’t enough evidence to implicate any one culprit to a degree of absolute certainty. But really, I don’t think gamers need to know the identities of the hackers to realize that, although Sony deserves a slap on the wrist for not being careful, the real villains are the hackers.
By disabling the PSN and setting about stealing the information of users, the hackers have made it clear that their activities are in the interest of no one but themselves. This isn’t some noble crusade to put a red flag on antiquated security systems, seeing as how the end result is customers and gamers being affected.
Though I’m sure that Sony will reimburse any customers who have their finances damaged as a result of the intrusion, it’ll likely be too hard to trace anyone’s identity theft back to this incident.
Sure, Sony is open to blame for allegedly leaving their databases’ security outdated, but they put out the Playstation 3 with the intention of profiting off of a quality product; they should be lauded for being so cavalier with their product – PSN game sharing, free online, no proprietary HDDs or memory sticks – just as much as they should be chastised for not handling the incident a little more diligently. On the other hand, it’s obvious that the hackers didn’t have any noble intentions to begin with.
Gavin Townsley, Associate Editor — Like I have said many times before, I believe the major hurdle for Sony and Sony Online Entertainment (SOE) has been their consistently bad marketing and business decisions. This is in no way a reflection on the PS3 being a worse system than the Xbox 360 — they are both stellar consoles. This is a reflection on Sony as a business not being as effective as Microsoft or other developers. Microsoft’s Xbox Live network has been hacked before, and hacking is nothing new to the gaming industry. The problem here is that poor business practices by Sony and SOE are once again placing the burden on the shoulders of their customers. I don’t blame Sony for this entire fiasco, as a group of hackers are very much to blame for the theft. However, I am getting tired of seeing problem after problem creep up with the name Sony attached to it. I love my PS3, but continued incompetence and poor decision making are what drove me away from SOE based PC games to begin with. I hope this doesn’t trend into my console as well.
William Milby, Associate Editor — I know a lot of people are angry about the massive leak of personal information. But personally, I really could not care less. I did not have my credit card info on their servers, but even if I did, it would not matter. Every year, my wife and I have three or four credit card purchases from some dude in Las Vegas or Seattle, and we ring up Mastercard and say, “Hey, this happened.” They remove the charges and issue us new cards — no harm, no foul. And this is without any leak of info at all! I think Sony made their only bumble in not telling people to look for suspicious activity immediately, even before they were sure that credit card info was taken. The password could potentially be much worse if you are the type of person who has the same password for every account. But if that is so, then maybe this will get your butt in gear and remind you that that is not such a good idea. Go change your passwords!
The rest of the stuff can all be gotten out of a phone book, so no biggie there. And to anyone saying they won’t be storing any more info on Sony servers, I can promise, after they re-launch, they will be the most secure servers on the planet, short of the C.I.A. The only downside is that while they might be uber secure, they will still be the prime target of hacker groups who love a challenge. I think the real travesty is me not being able to play PSN for this long (I was cool for a bit, but now it is really getting annoying). I respect Sony for taking their time, but they should not have given us a time table for when it would be up again, you only disappoint people when you do that.
Ryan Kenward, Editor-in-Chief — The digital frontier, despite all of its remarkable innovation and rate of advancement, is still very much the Wild West. Any sort of person you can imagine in the world is now a member of this giant global demographic: from rich to poor, good to bad, harmless to harmful; every group is represented in force. Multibillion dollar corporations like Sony tend to take a stance that they are some God-like entity in the digital age that people should be afraid of. This attitude makes them a target, and in many regards, a justified target. If I were to assert I have the greenest lawn on the block with an air of arrogance, then I should not be surprised when someone comes along to take me down a peg. If any person, small business or corporation, wants to be well-liked and respected on the Internet, they have to be cognizant of all the people out there and be encouraging to everyone.
I cite the Linux community as an example of all sorts of people working harmoniously, from the casual user to the hardcore systems engineer — there is little room for ego. Sony’s attempt at intimidation, their arrogance and their greed got them into the mess they are in. Despite owning a few Sony products, I am overall displeased with them. You can’t use a Sony camera without buying their over-priced crappy media sticks. You can’t own a Sony TV and update firmware without having the drivers on a Sony USB drive. I hope that this event has served as a wake up to Sony (though I doubt it has), and that they will realize they need to work with the consumers, not against them.
Gregory Hutto, Associate Editor – I understand why people are upset, but the attack on us as victims is not Sony. It’s the hackers. There is a clear line between harmless modding and aggressive hacking. I don’t like that this attack may be from a group of people who feel their agenda is in the defense of Sony’s end-user. Even so, neither here nor there without proof. Nor is there proof that the credit card information is being used, so I feel like most people are bitter that they can’t play Portal 2 co-op. The excuse of potential credit card fraud is a bit too convenient, as of yet.
The big thing right now for users is to be honest with what this situation is. It’s not as if Sony wanted this to happen, so accusing them of poor security is a waste. Were they vulnerable? Probably, but in all honesty, most companies and networks are. Being ahead of the curve in the game of “Cat and Mouse” that is hackers vs. engineers is a waste of resources. It’s hard to fully explain so that all you may appreciate what I mean by that, but understand that from my technical perspective, this wasn’t the catastrophic failure on Sony’s part that many believe it to be. Simply pray for the return of PSN, understand that there’s nothing you can do now, and find something to do in the meantime.
Jeremy Goodson, Managing Editor – I have to first say that I have been a fanboy of Sony and SOE for a long time. I’ve chosen Playstation over any other console ever since I first played a PS1. I’ve also played every single one of SOE’s MMORPGs for extended periods of time — with the exception of DCUO — which included a 10 year tenure in Everquest. It seems that over the past couple of years, though, that Sony in general has made some very poor business practices. The first big problem that I ran across was SOE implementing an extremely expensive cash shop into their already pay-to-play MMOs, basically milking the customers for as much money as they could possibly get out of them. This trend still continues in their games.
Looking beyond that MMO issues, I seem to be losing more and more respect in what used to be one of my favorite companies in gaming. Since the PSN and SOE networks have gone down, we keep getting inundated with new information which all makes Sony look worse and worse. Yes, it’s scary to think that they let leak a plethora of personal information about their customers, but what is more scary is that Sony was told about their lackluster security – old, unpatched security software (from 2006) with no firewall installed – and refused to do anything about it!
Talk about giving your customers the finger! It’s easy to just say “it’s all the hackers’ fault!!!” and look the other way, but in the end the attack could have been completely avoided had Sony just taken the proper precautions ahead of time, updated their software and…I don’t know…maybe put an encrypted firewall on the servers that stored all of our personal information…