Why Sony's Ongoing Network Problems Matter to You

ER, MAKE THAT “THROUGHOUT THE MONTH”: After getting hacked—and exposing sensitive user information from millions of accounts—the PlayStation Network responded with disingenuous tweets.

ER, MAKE THAT “THROUGHOUT THE MONTH”: After getting hacked—and exposing sensitive user information from millions of accounts—the PlayStation Network responded with disingenuous tweets.

Readers of this column might have noticed a trend toward a lack of coverage of Sony products. There’s a reason for that.

Maybe Sony was resting a little too soundly on their laurels after the successes of the PlayStation 2 era, because right around 2005, Sony Computer Entertainment International got a little full of itself. The run-up to the PlayStation 3 launch was a time of unparalleled hubris, with statement after statement outlining a world in which gamers would blindly follow SCEI no matter how stupid they made themselves seem.

Perhaps the biggest issue was price. Former SCEI President Ken Kutaragi touched off a firestorm when he insisted in 2005 that consumers would work extra hours or get a second job to afford the PS3; his statement was turned on its head in 2006 when the PS3’s $600 price tag was unveiled. Many potential owners would have needed that second job to afford it, but few actually went to the trouble—opting instead to purchase Microsoft’s Xbox 360 or Nintendo’s Wii.

Meanwhile, early PS3 marketing attempts mirrored Sony’s devil-may-care-if-you-buy-it attitude, almost daring customers to decipher their insultingly nonsensical ad campaigns. Not many of them did, and Sony spent the next few years fighting its own self-imposed antagonistic image.

Still, if you had asked me last month for my opinion on the PS3, you’d have found me espousing a warmer view on the subject. There was no question that Sony’s short game was lacking, but, as of mid-April, Sony’s long-term prospects seemed to signal a level of foresight that could have built significant consumer confidence.

The Xbox 360 and the Wii have both seen considerable sales drops, seemingly due to the fact that everyone who wants a 360 or Wii probably already has one. Meanwhile, the base model PS3’s current $300 MSRP, while still significantly more expensive than the competition, is a much more palatable price point for what is agreed to be a more powerful machine.

So SCEI had almost recovered from its own early PS3 mistakes. That all changed in the worst possible way last month when a pair of large-scale network intrusions caused Sony to cut itself off from the online gaming world altogether.

Between April 16-19, both Sony Online Entertainment (Sony’s MMORPG division) and Sony’s PlayStation Network (Sony’s console and handheld online gaming portal) suffered sophisticated attacks that allowed intruders to gain access to sensitive account information from over 100 million user accounts. Additionally, the credit or debit card information of up to 10 million PSN users was potentially compromised. (Sony has been, as of this writing, unwilling or unable to confirm an actual number of financial accounts affected.)

Obviously, the hackers are the first cause of fault and deserve the first share of blame, but their intrusion came and went in four days. Sony’s own actions in this matter are showing themselves to be a juggernaut of incompetence months in the making, and the company has so far handled the problem in the worst way possible.

After finding out about the PSN breach on April 20, Sony shut down the network for “maintenance.” They waited until April 22 to admit that the shutdown was due to an external breach, and waited yet another four days to confirm the data loss. This oversight potentially gave PSN hackers a week-long head start with which to wreak financial havoc against millions of unwitting victims.

Despite this knowledge of the massive attack on the PSN, Sony failed to detect the SOE breach until May 1, even though the SOE attack had actually occurred before the PSN attack. Sony shut down all SOE services on May 2.

But perhaps the most damning evidence came in a May 4 Congressional hearing about the attacks, in which Purdue University computer science professor Gene Spafford dropped a bombshell: Sony’s servers were running unpatched server administration software with no firewall support, and Sony had been aware of this fundamental vulnerability for months. This potentially allowed the hackers easy access to Sony servers.

So how bad is this for you, the user? It varies: If you ever played Everquest or bought a downloadable PSN game, it would be good idea to file a fraud alert and request a new card from your bank or credit card company. Like, yesterday. (If you haven’t already done this, don’t be surprised if they already know.)

Consumers with memories long enough to consider the PS3 to be an old bad idea instead of a new one find themselves in a considerably better position. Microsoft has been in the security game for a long time, and a Microsoft attack as successful as Sony’s would be an order of magnitude more difficult. Conversely, Nintendo’s anemic online presence makes them a winner by virtue of being under the radar to hackers wanting to get the most bang for their buck.

As for Sony? Unfortunately, SCEI’s consumer goodwill, a battle-scarred veteran only now recovering from its own previous missteps, may have finally fallen on its own sword.

© 2011 MetroPulse. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Comments » 3

Grey4920 writes:

Yeah, half of this info is false, misleading, and shows that the writer has done none of the research on their own and has decided to base their article off of another.

PSN Servers were up to date and had firewalls set in place. The Apache version can be checked through an archive available on google and you can get the version number there in April and see that it was up to date. The Congressman had reported that he read that from a news site, who had alternatively read that from various online forums.

Second it took days to notify people that the breach took place and info was taken because believe it or not, hackers like to cover up their tracks when they steal stuff like that and they don't want any evidence left that it was even copied from the servers. The FBI was called in when a worker noticed a few servers turned on and off when no updates were scheduled to be applied to the servers that day. The FBI then had to spend a few days uncovering the tracks left by the hackers.

SOE servers didn't shutdown on themselves and they then decided to check to see if they had been attacked as well after they handled the PSN Servers. FBI examined them and found out what was taken and alerted the public within an hour of confirming that information was taken.

Also the actual value of the parts in a PS3 are worth more than what they are sold for. That's why the amount of parts have seriously been trimmed down in the newer PS3's. Going from button sensors, 4 USB ports, card readers, extra chip for playing PS2 games, and a high quality looking finish to removing all of that with the exception of 2 USB Ports which cut prices back. You can view the price of all the original materials easily online and see what it totals, you will have to look back to '06 to see the actual cost.

dprince writes:

The latest information regarding the version of Apache running on Sony's servers was made public several days after this column's deadline. These things happen when you write for a print publication, but they're regrettable nonetheless. (I have yet to find a similar dispute of Spafford's claims re: firewall status at the time of the breach.)

Despite this, the article's content is based on original research, albeit from sources since discredited. Thanks for reading!

daveprince writes:

This is, of course, assuming that the good people at the Beyond3D forums, et al - on which the refutations I'm seeing re: the Sony/Apache claims are based - were able to and in fact did check the Apache versions on every Sony server that communicates with the PS3.

So far, I'm seeing one link to one Google cache of one playstation.net server running Apache 2.2.17. A few purported logs are also floating around showing the same information side-by-side with several servers running 2.2.11, from 2008 (logs, unfortunately, can be easily spoofed, so little help there). At most, the Google cache which seems to be the current source cited as proof for refutation shows that one of Sony's servers was up to date.

Further complicating matters is the fact that the author of the Bitmob post which cites the Beyond3D forumer's research which turned up one playstation.net server running 2.2.17 is himself a member of those same forums and has been since 2005. He makes no secret of this fact, but this nonetheless leads to the possibility of confirmation bias through community solidarity, especially since his post history there re: the Sony breaches has been fairly solidly pro-Sony.

Ain't internet journalism fun, kids?

Share your thoughts

Comments are the sole responsibility of the person posting them. You agree not to post comments that are off topic, defamatory, obscene, abusive, threatening or an invasion of privacy. Violators may be banned. Click here for our full user agreement.

Comments can be shared on Facebook and Yahoo!. Add both options by connecting your profiles.