QUEEN’S RUBBER DUCK – Moving past PSN melodrama

Thursday, 28 April 2011 06:38 GMT By Brenna Hillier

Oh, the humanity. Sony has taken a lot of flack over PSN-gate – some deserved, much more unwarranted. Let’s give the Japanese giant some credit for a nasty job done right.

Disaster Timeline

The PlayStation Network went down April 16

On April 23, Sony announced an “external intrusion”

Developers were warned of “emergency maintenance” by April 26

More than ten days after the initial shutdown, Sony announced user data had been compromised

No, the world hasn’t ended. You can stop vomiting. PSN was taken down last Wednesday after being hacked. It’ll be back up again in a few days. Here’s why you should be getting on with your lives.

What did Sony do right?
Practically everything. Sony’s reaction to the detection of a network security breach was picture-perfect, beginning with: shutting PSN down without warning.

Think about it. In whose interest is it to shut the PSN down? Sony did not, at the time the breach was detected, understand that the hackers had penetrated far enough into its systems to compromise user data. According to industry and hacker rumour, Sony was first alerted to a problem when those scoring free games and account credit through a custom firmware-enabled exploit of the developer-only network got a little too greedy. Keeping PSN up and stalking its prey would have been a tempting option.

But Sony played by the rules. Acknowledging the risks, it slammed the doors shut, called in outside expertise, and prepared for a total overhaul of the system if necessary. Closing PSN for a week over a holiday weekend is, clearly, a nightmare for the platform, even putting aside lost revenue. But against the possibility of letting hackers have their way with user data? It’s nothing to Sony. It takes security seriously.

No really, it does. Put aside what you’ve been told by some bloke in the pub for a minute, and pay attention to reality. Every network in the world can be hacked, with enough time, skill, and patience.

There’s been some loose talk about the fact that console and social networks are easier targets for hackers than, say, banks, but that doesn’t make it easy. Next time a major financial institution is compromised, you can bet your bottom lip someone will find something to describe as inadequate in its security. Xbox Live got caught with a phishing scam just yesterday. That’s the state of network security in 2011: inadequate.

Although requirements vary between international jurisdictions, there are very few territories in the world with strict legislation as to what preventative measures companies storing personal data must use. The ICO is investigating Sony, yes, and if found negligent, the company will face massive backlash in multiple countries. But there’s a strong likelihood the PlayStation Network will be found to meet minimum standards.

That’s the state of network security in 2011: inadequate.

In the face of so much bad press, Sony has to be lauded for sucking in its gut and telling us what we needed to know, almost as soon as it knew – that the personal data of account holders had been compromised.

Note: compromised, not stolen. Sony has no evidence that anything has actually been taken.

Here’s an analogy – PlayStation Network is a locked box, divided into compartments, each of which has its own additional locking mechanism. When Sony noticed the external lock had been tampered with, it shooed everyone out of the room to figure out what had happened, and fit a better lock.

Soon after, with a sinking heart, it noticed scratches around the lock on the compartment marked “user data”. It’s had a look in there, and nothing seems to have been shifted, but until it can dust for fingerprints and run one of those UV lights over it, it can’t yet be 100 percent certain the information inside wasn’t copied – just 99 percent.

So, knowing the media would jump all over it, knowing the panic it would cause, Sony responsibly admitted the possibility. It’s taking the PR hit stoically.

What Sony did wrong?
It’s a short list: it didn’t communicate.

I received an email this morning informing me of the outage, the security breach, and the possible compromise of my personal data. Each of these facts were known to me days before – I first read (and indeed, wrote) of the outage over a week ago.

This long-lasting silence is Sony’s biggest failing, not just because it shows disrespect for users, but also because it left time for misinformation, rumour, speculation and lies – the four horsemen of the PR disaster apocalypse – to get their spurs on, and whip the informed gaming world into a frenzy.

If Sony takes one lesson from this mess, it’s that those mail-outs needed to happen within the hour. We’re a lot more forgiving when we feel like we’ve involved, not standing on the edge of the crowd, clueless and angry.

More Information

Primary coverage of events and repurcussions

Official Sony Support FAQ

PSN Outage Q&A

SOE says none of its user data has been lost – as far as we know

Sony’s T&C’s protect the company in case of security breach

The ICO announces an investigation

US Senator attacks Sony for lack of communication

Anonymous denies responsibility

Purported hacker logs claim gaping security holes

Data security research firms estimates costs of $24 billion

What about me?
You should cancel your credit card. However slim the possibility that your data has been compromised is, you shouldn’t gamble your financial security on it.

But while you’re at it, you should get in touch with your bank, your work place, your social network, your MMO – any identity you log into, and which you’d be troubled by the loss of – and set up additional security measures, including double authentication, hard-to-remember passwords, and better secret questions. And not grumble about what a hassle it is.

The information stored on PSN – your name and address, date of birth, a few other bits and bobs alongside your credit card details – is all a fraudster needs to access most of your life. You very likely type most of it into every website you register for, send it off over the insecure HTTP protocol, and trust it to be used safely.

Have you ever called your bank and forgotten your PIN? What security questions did they ask you? Could your partner or a friend (or your neighbour, or somebody with a pile of print-outs taken from your recycling crate) have answered those questions, changed your contact details, and usurped your identity?

You’re a weak link here. You’re not aware of how much you give away about yourself. You trust, foolishly, that nobody can breach the walls society puts around you. You’re wrong. You can’t blame PSN for that; it doesn’t store anything you wouldn’t hand over anyway.

The PlayStation Network is likely to be back up and running within a week, very probably with all your trophies, saves, and data intact. We know Sony has new security features in mind – it’s in the process of migrating servers even now, and don’t be surprised if an optional double-authentication app turns up next month.

We’ll forget all about this, then. What doesn’t kill you makes you stronger. Treat yourself to an extra rubber duck for your bath.