Why Sony's Ongoing Network Problems Matter to You

Readers of this column might have noticed a trend toward a lack of coverage of Sony products. There's a reason for that.

Maybe Sony was resting a little too soundly on their laurels after the successes of the PlayStation 2 era, because right around 2005, Sony Computer Entertainment International got a little full of itself. The run-up to the PlayStation 3 launch was a time of unparalleled hubris, with statement after statement outlining a world in which gamers would blindly follow SCEI no matter how stupid they made themselves seem.

Perhaps the biggest issue was price. Former SCEI President Ken Kutaragi touched off a firestorm when he insisted in 2005 that consumers would work extra hours or get a second job to afford the PS3; his statement was turned on its head in 2006 when the PS3's $600 price tag was unveiled. Many potential owners would have needed that second job to afford it, but few actually went to the trouble—opting instead to purchase Microsoft's Xbox 360 or Nintendo's Wii.

Meanwhile, early PS3 marketing attempts mirrored Sony's devil-may-care-if-you-buy-it attitude, almost daring customers to decipher their insultingly nonsensical ad campaigns. Not many of them did, and Sony spent the next few years fighting its own self-imposed antagonistic image.

Still, if you had asked me last month for my opinion on the PS3, you'd have found me espousing a warmer view on the subject. There was no question that Sony's short game was lacking, but, as of mid-April, Sony's long-term prospects seemed to signal a level of foresight that could have built significant consumer confidence.

The Xbox 360 and the Wii have both seen considerable sales drops, seemingly due to the fact that everyone who wants a 360 or Wii probably already has one. Meanwhile, the base model PS3's current $300 MSRP, while still significantly more expensive than the competition, is a much more palatable price point for what is agreed to be a more powerful machine.

So SCEI had almost recovered from its own early PS3 mistakes. That all changed in the worst possible way last month when a pair of large-scale network intrusions caused Sony to cut itself off from the online gaming world altogether.

Between April 16-19, both Sony Online Entertainment (Sony's MMORPG division) and Sony's PlayStation Network (Sony's console and handheld online gaming portal) suffered sophisticated attacks that allowed intruders to gain access to sensitive account information from over 100 million user accounts. Additionally, the credit or debit card information of up to 10 million PSN users was potentially compromised. (Sony has been, as of this writing, unwilling or unable to confirm an actual number of financial accounts affected.)

Obviously, the hackers are the first cause of fault and deserve the first share of blame, but their intrusion came and went in four days. Sony's own actions in this matter are showing themselves to be a juggernaut of incompetence months in the making, and the company has so far handled the problem in the worst way possible.

After finding out about the PSN breach on April 20, Sony shut down the network for "maintenance." They waited until April 22 to admit that the shutdown was due to an external breach, and waited yet another four days to confirm the data loss. This oversight potentially gave PSN hackers a week-long head start with which to wreak financial havoc against millions of unwitting victims.

Despite this knowledge of the massive attack on the PSN, Sony failed to detect the SOE breach until May 1, even though the SOE attack had actually occurred before the PSN attack. Sony shut down all SOE services on May 2.

But perhaps the most damning evidence came in a May 4 Congressional hearing about the attacks, in which Purdue University computer science professor Gene Spafford dropped a bombshell: Sony's servers were running unpatched server administration software with no firewall support, and Sony had been aware of this fundamental vulnerability for months. This potentially allowed the hackers easy access to Sony servers.

So how bad is this for you, the user? It varies: If you ever played Everquest or bought a downloadable PSN game, it would be good idea to file a fraud alert and request a new card from your bank or credit card company. Like, yesterday. (If you haven't already done this, don't be surprised if they already know.)

Consumers with memories long enough to consider the PS3 to be an old bad idea instead of a new one find themselves in a considerably better position. Microsoft has been in the security game for a long time, and a Microsoft attack as successful as Sony's would be an order of magnitude more difficult. Conversely, Nintendo's anemic online presence makes them a winner by virtue of being under the radar to hackers wanting to get the most bang for their buck.

As for Sony? Unfortunately, SCEI's consumer goodwill, a battle-scarred veteran only now recovering from its own previous missteps, may have finally fallen on its own sword.